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Summary 

Persistent  computer  security  vulnerabilities  may  expose  U.S.  critical 
infrastructure  and  government  computer  systems  to  possible  cyber  attack  by 
terrorists,  possibly  affecting  the  economy  or  other  areas  of  national  security.  This 
report  discusses  possible  cyber  capabilities  of  terrorists  and  sponsoring  nations, 
describes  how  computer  security  vulnerabilities  might  be  exploited  through  a  cyber 
terror  attack,  and  raises  some  potential  issues  for  Congress. 

Currently  no  evidence  exists  that  terrorist  organizations  are  actively  planning 
to  use  computers  as  a  means  of  attack,  and  there  is  disagreement  among  some 
observers  about  vs4iether  critical  infrastructure  computers  offer  an  effective  target  for 
furthering  terrorists’  goals.  However,  terrorist  organizations  now  use  the  Internet  to 
communicate,  and  news  reports  have  indicated  that  A1  Qaeda  and  other  groups  may 
be  using  computer  technology  to  help  plan  future  terrorist  attacks.  At  the  same  time, 
nuisance  attacks  against  computer  systems  and  die  Internet  are  becoming  more  rapid 
and  widespread,  indicating  that  computer  system  vulnerabilities  persist  despite 
growing  concerns  about  possible  effects  on  national  security. 

This  report  presents  a  working  definition  for  the  term  “cyber  terrorism”,  plus 
background  information  describing  how  current  technology  and  management 
processes  may  leave  computers  exposed  to  cyber  attack,  and  a  discussion  of  possible 
effects  of  a  cyber  attack.  Potential  issues  for  Congress  are  presented  in  the  second 
section,  including:  whether  appropriate  guidance  exists  for  a  DOD  information 
warfare  response  to  a  cyber  attack;  vdiether  the  need  to  detect  possible  cyber  terrorist 
activity  interferes  with  individual  privacy;  whether  the  roles  and  responsibilities  for 
protecting  against  a  possible  cyber  terrorist  attack  need  more  clarity  for  government, 
industry,  and  home  users;  and,  vdiether  information  sharing  on  cyber  threats  and 
vulnerabilities  must  be  further  increased  between  private  industry  and  the  federal 
government.  The  final  section  describes  possible  policy  options  for  improving 
protection  against  threats  from  possible  cyber  terrorism. 

Appendices  to  this  report  explain  technologies  underlying  computer  viruses, 
worms,  and  spyware,  how  these  malicious  programs  enable  cyber  crime  and  cyber 
espionage,  and  how  tactics  currently  used  by  computer  hackers  might  also  be 
employed  by  terrorists  vdiile  planning  a  possible  cyber  terror  attack. 

This  report  will  be  updated  to  accommodate  significant  changes. 
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Introduction 

Many  Pentagon  officials  reportedly  believe  that  future  adversaries  may  be 
unwilling  to  array  conventional  forces  against  U.S.  troops,  and  instead  may  resort  to 
“asymmetric  warfare”*,  viiere  a  less  powerful  opponent  uses  other  strategies  to  offset 
and  negate  U.S.  technological  superiority.  Also,  partly  because  the  U.S.  military 
relies  significantly  on  the  civilian  information  infrastructure,  these  officials  believe 
that  future  conflicts  may  be  characterized  by  a  blurring  in  distinction  between  civilian 
and  military  targets.^  As  a  consequence,  they  believe  that  government  and  civilian 
computers  and  information  systems  are  increasingly  becoming  a  viable  target  for 
opponents  of  the  U.S.,  including  international  terrorist  groups. 

Terrorist  groups  today  frequently  use  the  hitemet  to  communicate,  raise  funds, 
and  gather  intelligence  on  future  targets.  Althou^  there  is  no  published  evidence 
that  computers  and  the  Internet  have  been  used  directly,  or  targeted  in  a  terrorist 
attack,^  malicious  attack  programs  currently  available  through  the  Internet  can  allow 
anyone  to  locate  and  attack  networked  computers  that  have  security  vulnerabilities, 
and  possibly  disrupt  other  computers  without  the  same  vulnerabilities.  Terrorists 
could  also  use  these  same  malicious  programs,  together  with  techniques  used  by 
computer  hackers  (see  Appendix  A),  to  possibly  launch  a  widespread  cyber  attack 
against  computers  and  information  tystems  that  support  the  U.S.  critical 
infrastructure. 

Some  security  experts  believe  that  past  discussions  about  cyber  terrorism  may 
have  over-inflated  the  perceived  risk  to  the  critical  infrastructure.'*  However,  other 


’  According  to  Pentagon  officials,  the  supporting  infrastructure  (power  grid,  phone  network, 
the  Internet,  etc.)  for  United  States  technology  would  likely  become  a  target  for  asymmetric 
warfare  attack.  Jonathan  B.  Tucker,  1999,  Asymmetric  Warfare,  Forum  for  Applied 
Research  and  Public  Policy,  vol.  14,  no.  2. 

^  Dan  Kuehl,  professor  at  the  National  Defense  University  School  of  Information  Warfare 
and  Strategy,  has  pointed  out  that  a  high  percentage  of  U.S.  military  messages  flow  through 
commercial  commimications  channels,  and  this  reliance  creates  a  vulnerability  during 
conflict. 

^  John  Arquilla  and  David  Ronfeldt,  o/Aetwar  Networks  and 

Netwars:  The  Future  of  Terror,  Crime  and  Militancy,  Rand,  Santa  Monica,  2001,  p.  1-28. 

The  critical  infrastructure  is  viewed  by  some  as  more  resilient  than  previously  thought  to 
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observers  believe  that  security  threats  are  continuously  evolving  along  with  changes 
in  technology.  They  believe  that  terrorist  groups  are  recruiting  new,  younger 
members  more  knowledgeable  about  computer  technology,  and  that  some  day  a 
terrorist  group  may  attempt  to  use  computers  as  a  weapon. 

The  Background  section  of  this  report  presents  a  working  definition  of  cyber 
terrorism,  and  describes  how  persistent  vulnerabilities  in  computer  systems  operated 
by  government,  industry,  and  home  PC  users  enable  computer  attacks  to  be 
successful.  The  next  section  presents  potential  issues  for  Congress  pertaining  to  the 
risks  of  cyber  terrorism.  The  final  section  presents  policy  options  addressing  related 
issues.  Three  appendices  describe,  in  more  detail,  Ae  technology  and  tactics  used  in 
a  computer  attack. 


Background 

The  federal  government  has  taken  steps  to  improve  its  own  computer  security 
and  to  encourage  the  private  sector  to  also  adopt  stronger  computer  security  policies 
and  practices  to  reduce  infrastructure  vulnerabilities.  In  2002,  the  Federal 
Information  Security  Management  Act  (FISMA)  was  enacted  giving  the  Office  of 
Management  and  Budget  (0MB)  responsibility  for  coordinating  information  security 
standards  and  guidelines  developed  by  civilian  federal  agencies.^  In  2003,  the 
National  Strategy  to  Secure  Cyberspace  was  published  by  the  Administration  to 
encourage  the  private  sector  to  improve  computer  security  for  the  U.S.  critical 
infrastructure  through  having  federal  agencies  set  an  example  for  best  security 
practices.® 

The  Department  of  Homeland  Security  (DHS)  has  created  the  National  Cyber 
Security  Division  (NCSD)  under  the  Department’s  Information  Analysis  and 
Infrastructure  Protection  Directorate.’  The  NCSD  oversees  a  Cyber  Security 
Tracking,  Analysis  and  Response  Center  (CSTARC)  which  is  tasked  with  conducting 
analysis  of  cyberspace  threats  and  vulnerabilities,  issuing  alerts  and  warnings  for 
cyber  threats,  improving  information  sharing,  responding  to  major  cyber  security 
incidents,  and  ai^ng  in  national-level  recovery  efforts.  In  addition,  a  new  Cyber 


''  (...continued) 

the  effects  of  a  computer  attack.  Drew  Clark,  June  3,  2003,  Computer  Security  Officials 
Discount  Chances  of  ‘Digital  Pearl  Harbor  ’,  [http://www.GovExec.com.] 

®  GAO  has  noted  that  many  federal  agencies  have  not  implemented  security  requirements 
for  most  of  their  systems,  and  must  meet  new  requirements  imder  FISMA.  See  GAO  Report 
GAO-03-852T,  Information  Security:  Continued  Efforts  Needed  to  Fully  Implement 
Statutory  Requirements,  June  24, 2003. 

®  Tinabeth  Burton,  May  7,  2003,  ITAA  Finds  Much  to  Praise  in  National  Cybersecurity 
Plan,  [http://www.itaa.org/news/pr/PressRelease.cfm?ReleaseID=1045252973] 

’’  DHS  is  comprised  of  five  major  divisions  or  directorates:  Border  &  Transportation 
Secmity;  Emergency  Preparedness  &  Response;  Science  &  Technology;  Information 
Analysis  &  Infrastructure  Protection;  and  Management.  See 
[http://www.dhs.gov/dhspubIic/dispIay?theme=52.] 
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Warning  and  Information  Network  (CWBSf)  has  begun  operation  in  30  locations,  and 
serves  as  an  early  warning  system  for  cyber  attacks.* 

In  January  2003,  the  administration  announced  the  creation  of  a  new  Terrorist 
Threat  Integration  Center  (TTIC)  to  monitor  and  analyze  threat  information  gathered 
by  other  agencies.  Leadership  for  TTIC  comes  from  senior  officers  of  the  CIA,  FBI, 
DOD,  DHS  and  the  Department  of  State,  ’i\hich  are  the  component  agencies  of  the 
TTIC.  The  TTIC  itself  has  no  independent  authority  to  collect  intelligence,  and 
instead  operates  by  combining  the  data  elements  and  information  on  trans-national 
terrorist  activity  collected  by  component  agencies.  Some  observers  have  suggested 
that  the  TTIC  should  be  housed  within  the  DHS,  ratiier  than  within  the  CIA,  in  order 
to  eliminate  possible  cultural  and  constitutional  conflicts  between  the  CIA  and  the 
FBI.® 

However,  despite  growing  concerns  for  national  security,  computer 
vulnerabilities  persist,  the  number  of  computer  attacks  reported  by  industry  and 
government  has  increased  every  year,  and  federal  agencies  have,  for  the  past  2  years, 
come  under  criticism  for  the  effectiveness  of  their  computer  security  programs. In 
addition,  a  study  by  one  computer  security  organization  found  that,  during  the  latter 
half  of  2002,  the  highest  rates  for  globd  computer  attack  activity  were  directed 
against  critical  infrastructure  industry  companies,  such  as  power,  energy,  and 
financial  services.”  In  January  2003,  an  Internet  worm  reportedly  entered  the 
computer  network  at  a  closed  nuclear  power  plant  located  in  Ohio,  and  disrupted  its 
computer  systems  for  over  5  hours.”  Also,  during  the  August  14,  2003  power 
blackout,  the  Blaster  computer  worm  may  have  degraded  the  performance  of  several 
communications  lines  linking  key  data  centers  used  by  utility  companies  to  manage 
the  power  grid.” 


*  Bara  Vaida,  June  25,  2003,  Warning  Center  for  Cyber  Attacks  is  Online,  Official  Says, 
Daily  Briefing,  GovExec.com. 

®  Dan  Eggan,  1, 2003,  Center  to  Assess  Terrorist  Threat,  Washington  Post,  p.  AlO. 

Based  on  2002  data  submitted  by  federal  agencies  to  the  White  House  Office  of 
Management  and  Budget,  GAO  noted,  in  testimony  before  the  House  Committee  on 
Government  Reform  (GAO-03-564T,  April  8, 2003),  that  all  24  agencies  continue  to  have 
“significant  information  security  weaknesses  that  place  a  broad  array  of  federal  operations 
and  assets  at  risk  of  fraud,  misuse,  and  disruption.”,  Christopher  Lee,  November  20, 2002, 
Agencies  Fail  Cyber  Test:  Report  Notes  ‘Significant  Weaknesses  ’  in  Computer  Security, 
[http://www.washingtonpost.com/ac2/wp-dyn/A12321-2002Novl9?language=printer.] 

”  Symantec,  February  2003,  Symantec  Internet  Security  Threat  Report,  p.48. 

”  Safety  was  not  compromised  because  die  Davis-Besse  nuclear  power  plant  at  Lake  Erie 
had  been  shut  down  since  February  2003.  This  event  indicated  the  potential  for  possible 
widespread  disruption  solely  through  transmission  of  malicious  computer  code.  AP, 
September  4, 2003,  NRC  Confirms  Internet  ‘worm  ’Hit  Ohio  Plant,  Washington  in  Brief, 
Washington  Post,  p.  AOS. 

”  The  exact  cause  of  the  blackout  is  still  unknown,  however,  congestion  caused  by  the 
Blaster  worm  delayed  the  exchange  of  critical  power  grid  control  data  across  the  public 
telecommimications  netwoik,  which  could  have  hampered  the  operators’  ability  to  prevent 

(continued...) 
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Definition  of  Cyber  Terrorism 

It  is  first  important  to  note  that  no  single  definition  of  the  term  “terrorism”  has 
yet  gained  universal  acceptance.  Additionally,  no  single  definition  for  the  term 
“cyber  terrorism”  has  been  universally  accepted.  Also,  labeling  a  computer  attack 
as  “cyber  terrorism”  is  problematic,  because  it  is  often  difficult  to  determine  the 
intent,  identity,  or  the  political  motivations  of  a  computer  attacker  vsdth  any  certainty 
until  long  afi:er  the  event  has  occurred. 

There  are  some  emerging  concepts,  however,  that  may  be  combined  to  help 
build  a  working  definition  for  cyber  terrorism.  Under  22USC,  section  2656, 
terrorism  is  defined  as  premeditated,  politically  motivated  violence  perpetrated 
against  noncombatant  targets  by  sub  national  groups  or  clandestine  agents,  usually 
intended  to  influence  an  audience.  The  term  “international  terrorism”  means 
terrorism  involving  citizens  or  the  territory  of  more  than  one  country.  The  term 
“terrorist  group”  means  any  group  practicing,  or  that  has  significant  subgroups  that 
practice,  international  terrorism.’'* 

The  National  Inffastructure  Protection  Center  (NTPC),  now  within  DHS,  defines 
cyber  terrorism  as  “a  criminal  act  perpetrated  through  computers  resulting  in 
violence,  death  and/or  destruction,  and  creating  terror  for  the  purpose  of  coercing  a 
government  to  change  its  policies.”'^ 

By  combining  the  above  concepts,  “cyber  terrorism”  may  also  be  defined  as  the 
politic^ly  motivated  use  of  computers  as  weapons  or  as  targets,  by  sub-national 
groups  or  clandestine  agents  intent  on  violence,  to  influence  an  audience  or  cause  a 
government  to  change  its  policies.  The  definition  may  be  extended  by  noting  that 
DOD  operations  for  information  warfare’®  also  include  physical  attacks  on  computer 
facilities  and  transmission  lines. 

Finally,  other  security  experts  reportedly  believe  that  a  computer  attack  may  be 
defined  as  cyber  terrorism  if  Ae  effects  are  sufficiently  destructive  or  disruptive  to 
generate  fear  potentially  comparable  to  that  from  a  physical  act  of  terrorism.  Under 
this  “severity  of  effects”  view,  computer  attacks  that  are  perhaps  limited  in  scope,  but 


(...continued) 

the  cascading  effect  of  the  blackout.  Dan  Verton,  August  29, 2003,  Blaster  Worm  Linked 
to  Severity  of  Blackout,  Computerworld, 
[http://www.computerworld.com/printthis/2003/0,4814,84510,00.html.] 

’■*  The  US  Government  has  employed  fliis  definition  of  terrorism  for  statistical  and 
analytical  purposes  since  1983.  U.S.  Department  of  State,  2002,  Patterns  of  Global 
Terrorism, 2003,  [http://www.state.gOv/s/ct/rls/pgtrpt/2001/html/10220.htm.] 

’’  This  definition  comes  from  Ron  Dick,  2002  Director  of  NIPC.  Scott  Berinato,  March  15, 
2002,  The  Truth  About  Cyberterrorism,  CIO. 

DOD  information  warfare  operations  include  the  use  of  directed  energy  weapons  that  can 
deliver  high-energy  electromagnetic  pulses  to  destroy  computer  circuits.  Clay  Wilson, 
March  14,  2003,  Information  Warfare  and  Cyberwar:  Capabilities  and  Related  Policy 
Issues,  CRS  Report  RL31787. 
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that  lead  to  death,  injury,  extended  power  outages,  airplane  crashes,  water 
contamination,  or  maj  or  loss  of  confidence  portions  of  the  economy  may  also  qualify 
as  cyber  terrorism.'^ 

Why  Computer  Attacks  are  Successful 

Networked  computers  with  exposed  vulnerabilities  may  be  disrupted  or  taken 
over  by  an  attacker.  Computer  hackers  opportunistically  scan  the  Internet  looking  for 
computer  systems  that  do  not  have  necessary  or  current  software  security  patches 
instiled,  or  that  have  improper  computer  configurations  leaving  them  vulnerable  to 
potential  security  exploits.  Even  computers  with  up-to-date  software  security  patches 
installed  may  still  be  vulnerable  to  a  type  of  attack  known  as  a  “zero-day  exploit”. 
This  may  occur  if  a  computer  hacker  discovers  a  new  vulnerability  and  launches  a 
malicious  attack  program  onto  the  Internet  before  a  security  patch  can  be  created  by 
the  software  vendor  and  made  available  to  provide  protection  to  software  users. 
Should  aterrorist  group  attempt  to  launch  a  coordinated  attack  against  computers  that 
manage  the  U.S.  critical  infrastructure,  they  may  copy  some  of  the  tactics  now 
commonly  used  by  computer  hacker  groups  to  find  computers  with  vulnerabilities 
and  then  systematically  exploit  those  vulnerabilities  (see  Appendices  A,  B,  and  C). 

Why  Computer  Vulnerabilities  Persist 

Vulnerabilities  provide  the  entry  points  for  a  computer  attack.  Vulnerabilities 
persist  largely  as  a  result  of  poor  security  practices  and  procedures,  inadequate 
training  in  computer  security,  and  poor  quality  in  software  products.'®  For  example, 
within  some  organizations,  an  important  software  security  patch  might  not  get 
scheduled  for  installation  on  computers  until  several  weeks  or  months  after  the 
security  patch  is  made  available  by  the  software  product  vendor.'®  Sometimes  this 
delay  may  occur  if  an  organization  does  not  actively  enforce  its  own  security  policy, 
or  if  the  security  function  is  under-staffed,  or  sometimes  die  security  patch  itself  may 
disrupt  the  computer  when  installed,  forcing  the  systems  administrator  to  take 
additional  time  to  adjust  the  computer  configuration  to  accept  die  new  patch.  To 
avoid  potential  disruption  of  computer  systems,  sometimes  a  security  patch  is  tested 
for  compatibility  on  an  isolated  network  before  it  is  distributed  for  installation  on 
other  computers.  As  a  result  of  delays  such  as  these,  the  computer  security  patches 
that  are  actually  installed  and  protecting  computer  systems  in  many  organizations,  at 


”  Dorothy  Denning,  November  2001,  Is  Cyber  War  Next?,  Social  Science  Research 
Council,  [http;//www.ssrc.org/setpl  1/essays/denning.htm.] 

The  SANS  Institute,  in  cooperation  widi  the  National  Infrastructure  Protection  Center 
(NIPC),  publishes  an  annual  list  of  the  10  most  commonly  exploited  vulnerabilities  for 
Windows  systems  andforUnix  systems.  SANS,  April  15  2003,  The  SANS/FBI  Twenty  Most 
Critical  Internet  Security  Vulnerabilities,  2003,  [http;//www.sans.org/top20/]. 

'®  A  survey  of 2000  PC  users  found  that  42%  had  not  downloaded  the  vendor  patch  to  ward 
off  the  recent  Blaster  worm  attack,  23%  said  they  do  not  regularly  download  software 
updates,  21%  do  not  update  their  anti-virus  signatures,  and  70%  said  they  were  not  notified 
by  their  companies  about  the  urgent  threat  due  to  the  Blaster  worm.  Jaikumar  Vijayan, 
August  25  2003,  IT  Managers  Say  They  Are  Being  Worn  Down  by  Wave  of  Attacks, 
Computeworld,  Vol.  37,  No.  34,  P.l. 
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any  point  in  time,  may  lag  considerably  behind  the  current  cyber  threat  situation. 
Whenever  delays  for  installing  important  security  patches  are  allowed  to  persist  in 
private  organizations,  in  government  agencies,  or  among  home  PC  users,  some 
computer  vulnerabilities  may  remain  open  to  possible  attack  for  long  periods  of  time. 

Many  security  experts  also  emphasize  that  if  systems  administrators  received 
proper  training  to  adhere  to  strict  rules  for  maintenance,  such  as  installing  published 
security  patches  in  a  timely  manner  or  keeping  their  computer  configurations  secure, 
dien  computer  security  would  greatly  improve  for  the  U.S.  critical  infrastructure.^® 

Commercial  software  vendors  are  often  criticized  for  consistently  releasing 
products  with  errors  that  create  vulnerabilities.^'  Government  observers  have 
reportedly  stated  that  approximately  80  percent  of  successful  intrusions  into  federal 
computer  systems  can  be  attributed  to  software  errors,  or  poor  software  quality. 
Richard  Clarke,  former  WTiite  house  cyberspace  advisor  under  the  Clinton  and  Bush 
Administrations  (until  2003),  has  reportedy  said  that  many  commercial  software 
products  have  poorly  written,  or  poorly  configured  security  features.^^  There  is 
currently  no  regulatory  mechanism  or  legal  liability  if  a  software  manufacturer  sells 
a  product  that  has  design  defects.  Often  the  licensing  agreement  that  accompanies 
die  software  product  includes  a  disclaimer  protecting  the  software  vendor  from  all 
liability. 


According  to  seciuity  group  Attrition.org,  failure  to  keep  software  patches  up  to  date 
resulted  in  99  percent  of  5,823  Web  site  defacements  in  2003.  Robert  Lemos,  2003, 
Software  “fixes”  routinely  available  but  often  ignored, 
[http://news.com.eom/2102-1017-251407.html]. 

In  September,  2003,  Microsoft  Corporation  announced  three  new  critical  flaws  in  its 
latest  Windows  operating  systems  software.  Security  experts  predicted  that  computer 
hackers  m^  possibly  exploit  these  new  vulnerabilities  by  releasing  more  attack  programs, 
such  as  the  “Blaster  worm”  that  recently  targeted  other  Windows  vulnerabilities  causing 
widespread  disruption  on  the  Internet.  Jaikumar  Vijayan,  September  15,  IQtB,  Attacks  on 
New  Windows  Flaws  Expected  Soon,  Computerworld,  Vol.  37,  No.  37,  p.  1. 

^  Johathan  Krim,  September  24,  2003,  Security  Report  Puts  Blame  on  Microsoft, 
Washingtonpost.com.  Joshua  Green,  November  2002,  The  Myth  of  Cyberterrorism,  The 
Washington  Monthly,  [http://www.washingtonmonthly.com/]. 

Agencies  operating  national  security  systems  must  purchase  software  products  from  a 
list  of  lab-tested  and  evaluated  products  in  a  program  that  requires  vendors  to  submit 
software  for  review  in  an  accredited  lab,  a  process  (known  as  certification  under  the 
Common  Criteria,  atesting  program  run  by  the  National  Information  Assurance  Partnership) 
that  often  takes  a  year  and  costs  several  thousand  dollars.  The  review  requirement 
previously  has  been  limited  to  military  national  security  software,  however,  the 
administration  has  stated  that  the  government  will  undertake  a  review  of  the  program  in 
2003  to  “possibly  extend”  it  as  a  new  requirement  for  civilian  agencies.  Ellen  Messmer, 
February  14, 2003,  White  House  issue  ‘National  Strategy  to  Secure  Cyberspace  ’,  Network 
World  Fusion,  [http://www.nwfusion.eom/news/2003/0214ntlstrategy.html.] 
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Many  major  software  companies  now  contract  for  development  of  large  portions 
of  their  software  products  in  countries  outside  the  United  States.^  Offshore 
outsourcing  may  give  a  programmer  in  a  foreign  country  the  chance  to  secretly  insert 
a  Troj  an  Horse  or  other  malicious  trapdoor  into  a  new  commercial  software  product. 
In  2003,  GAO  is  reportedly  beginning  a  review  of  DOD  reliance  on  foreign  software 
development  to  determine  the  adequacy  of  measures  intended  to  reduce  these  related 
security  risks  in  commercial  software  products  purchased  for  military  systems. 

Possible  Effects  of  Cyber  Attack 

A  cyber  attack  has  the  potential  to  create  economic  damage  that  is  far  out  of 
proportion  to  the  cost  of  initiating  the  attack.^^  Security  experts  disagree  about  the 
damage  that  might  result  from  a  cyber  attack,^®  and  some  have  reportedly  stated  that 
U.S.  infrastructure  systems  are  resilient  and  could  possibly  recover  easily  from  a 
cyber  terrorism  attack,  thus  avoiding  any  severe  or  catastrophic  effects. 

Lower  Risk,  but  Less  Drama.  Tighter  physical  security  measures  now 
widely  in  place  may  actually  encourage  terrorists  in  the  future  to  explore  cyber  terror 
as  a  form  of  attack  that  offers  lower  risk  of  detection  to  the  attackers,  with  effects  that 
could  possibly  cascade  to  disrupt  other  information  systems  throughout  the  critical 
infrastructure.^^  A  successful  cyber  attack  that  targets  vulnerable  computers,  causing 
them  to  malfunction,  can  result  in  corrupted  flows  of  information  that  may  disable 
other  downstream  businesses  that  have  secure  computer  systems  previously  protected 
against  the  same  cyber  threat.  For  example,  cyber  attacks  that  secretly  corrupt  secure 
credit  card  transaction  data  at  retail  Internet  sites,  could  possibly  cause  that  corrupted 
data  to  spread  into  banking  systems  and  could  erode  public  confidence  in  the 
financial  sector,  or  in  other  computer  systems  used  for  global  commerce.  Also,  some 


Gartner  Inc.,  a  technology  research  organization,  has  estimated  that  by  2004,  more  than 
80%  of  U.  S.  companies  will  have  had  high-level  discussions  about  offshore  outsourcing,  and 
40%  will  have  completed  a  pilot  program.  Patrick  Thibodeau,  Jime  30, 2003,  Offshore ’s 
Rise  is  Relentless,  Computerworld,  Vol.  37,  No.  26,  p.l. 

“  The  most  expensive  natural  disaster  in  U.S.  history,  Hiuricane  Andrew,  is  reported  to 
have  caused  $25  billion  dollars  in  damage,  while  the  Love  Bug  virus  is  estimated  to  have 
cost  computer  users  around  the  world  somewhere  between  $3  billion  and  $15  billion. 
However,  the  Love  Bug  virus  was  created  and  launched  by  a  single  university  student  in  the 
Philippines,  relying  on  inexpensive  computer  equipment.  Christopher  Miller,  March3, 2003, 
GAO  Review  of  Weapon  Systems  Software,  Email  communication,  MillerC@gao.gov. 

“  Some  of  China’s  military  journals  speculate  that  cyber  attacks  could  disable  American 
financial  markets.  The  dilemma  for  this  kind  of  attack  is  that  China  is  as  dependent  on  the 
same  financial  markets  as  the  United  States,  and  could  suffer  even  more  from  disruption. 
With  other  critical  infrastmctmes,  the  amount  of  damage  that  can  be  done  is,  from  a 
strategic  viewpoint,  trivial,  while  the  costs  of  discovery  for  a  nation  state  could  be  very 
great.  These  constraints,  however,  do  not  apply  to  non-state  actors  like  A1  Qaeda.  Cyber 
attacks  could  potentially  be  a  useful  tool  for  non-state  actors  who  reject  the  global 
market  economy.  James  Levns,  December  2002,  Assessing  the  Risks  of  Cyber  Terrorism, 
Cyber  War  and  Other  Cyber  Threats,  [http://www.csis.org/tech/021  l_lewis.pdf.] 

CFR,  April  4,  2003,  Terrorism:  An  Introduction , 

[http://www.terrorismanswers.com/terrorism.] 
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security  experts  reportedly  have  stated  that  because  technology  continuously  evolves, 
it  is  incorrect  to  think  that  future  cyber  attacks  will  always  resemble  the  past 
annoyances  we  have  experienced  from  Internet  hackers. 

However,  other  security  observers  disagree,  stating  that  terrorist  organizations 
might  be  reluctant  to  use  the  Internet  itself  to  launch  an  attack.  Some  observers 
believe  that  terrorists  will  avoid  launching  a  cyber  attack  because  it  would  involve 
less  immediate  drama,  and  have  a  lower  psychological  impact  than  a  traditional 
physical  bombing  attack.  These  observers  believe  that  unless  a  computer  attack  can 
be  made  to  result  in  actual  physical  damage  or  bloodshed,  it  will  never  be  considered 
as  serious  as  a  nuclear,  biological,  or  chemical  terrorist  attack.  Unless  a  cyber  terror 
event  can  be  designed  to  attract  as  much  media  attention  as  a  physical  terror  event, 
the  Internet  may  be  better  utilized  by  terrorist  organizations  as  a  tool  for  surveillance 
and  espionage,  rather  than  for  cyber  terrorism.^* 

SCADA  Systems.  Supervisory  Control  And  Data  Acquisition  (SCADA) 
systems  are  computer  systems  relied  upon  by  most  critical  infrastructure 
organizations  to  automatically  monitor  and  adjust  switching,  manufacturing,  and 
odier  process  control  activities,  based  on  feedback  data  gathered  by  sensors.  Some 
experts  believe  that  these  systems  may  be  vulnerable  to  cyber  attack,  and  that  their 
importance  for  controlling  the  critical  infrastructure  may  make  them  an  attractive 
target  for  cyber  terrorists.  SCADA  systems  once  used  only  proprietary  computer 
software,  and  their  operation  was  confined  largely  to  isolated  networks.  However, 
an  increasing  number  of  industrial  control  systems  now  operate  using  Commercial- 
Off-The-Shelf  (COTS)  software,  and  more  are  being  linked  via  the  Internet  directly 
into  their  corporate  headquarters  office  systems.^®  Some  observers  believe  that 
SCADA  systems  are  inadequately  protected  against  a  cyber  attack,  and  remain 


James  Lewis,  2002,  December,  Assessing  the  Risks  of  Cyber  Terrorism,  Cyber  War  and 
Other  Cyber  Threats,  [http;//www.csis.org/tech/021  l_lewis.pdf.] 

Proprietary  systems  are  unique,  custom  built  software  products  intended  for  installation 
on  a  few  (or  a  single)  computers,  and  their  uniqueness  makes  them  a  less  attractive  target 
for  hackers.  They  are  less  attractive  because  finding  a  security  vulnerability  takes  time  (See 
Appendix  A),  and  a  hacker  may  usually  not  consider  it  worth  their  while  to  invest  die  pre¬ 
operative  surveillance  and  research  needed  to  attack  a  proprietary  system  on  a  single 
computer.  Commercial-Off-The-Shelf  (COTS)  software  products,  on  Ae  other  hand,  are 
more  attractive  to  hackers  because  a  single  security  vulnerability,  once  discovered  in  a 
COTS  product,  m^  be  embedded  in  numerous  computers  that  have  the  same  COTS 
software  product  installed. 

^  The  “Slammer”  worm  corrupted  for  5  hours  the  computer  systems  at  the  closed  Davis- 
Besse  nuclear  power  plant  located  in  Ohio.  The  worm  bypassed  firewall  security,  and 
highlighted  possible  security  issues  that  may  arise  whenever  plant  networks  and  corporate 
networks  are  interconnected.  The  Davis-Besse  corporate  network  was  foimd  to  have 
multiple  connections  to  the  Internet  that  bypassed  the  plant  firewall.  Kevin  Poulsen,  August 
19  2003,  Slammer  Worm  Crashed  Ohio  Nuke  Plant  Network,  Seciuity  Focus, 
[http://www.securityfocus.com/news/6767.] 


CRS-9 


vulnerable  because  many  of  the  organizations  that  operate  them  have  not  paid  proper 
attention  to  computer  security  needs.^’ 

However,  other  observers  disagree,  suggesting  that  the  critical  infrastructure  and 
SCADA  systems  are  more  robust  and  resilient  than  early  theorists  of  cyber  terror 
have  stated,  and  that  the  infrastructure  would  likely  recover  rapidly  from  a  cyber 
terrorism  attack.  They  cite,  for  example,  that  in  Ae  larger  context  of  economic 
activity,  water  system  failures,  power  outages,  air  traffic  disruptions,  and  other  cyber¬ 
terror  scenarios  are  routine  events  that  do  not  always  affect  national  security.  System 
failure  is  a  routine  occurrence  at  the  regional  level,  w4iere  service  may  often  be 
denied  to  customers  for  hours  or  days.  Hi^ly  skilled  engineers  and  technical  experts 
who  understand  the  systems  would,  as  always,  work  tirelessly  to  restore  functions  as 
quickly  as  possible.  Cyber  terrorists  would  need  to  attack  multiple  targets 
simultaneously  for  long  periods  of  time,  perhaps  in  coordination  with  more 
traditional  physical  terrorist  attacks,  to  gradually  create  terror,  achieve  strategic  goals, 
or  to  have  any  noticeable  effects  on  national  security. 

Several  simulations  have  been  conducted  to  determine  the  effects  that  an 
attempted  cyber  attack  might  have  on  U.S.  defense  systems  and  the  critical 
infrastructure.  In  1997,  DOD  conducted  a  mock  cyber  attack  to  test  the  ability  of 
DOD  systems  to  respond  to  protect  the  national  information  infrastructure.  That 
exercise,  called  operation  “Eligible  Receiver  1997’  revealed  dangerous 
vulnerabilities  in  U.S.  military  information  systems.^^  In  October 2002,  a  subsequent 
mock  cyber  attack  against  DOD  systems,  titled  “Eligible  Receiver  2003”,  indicated 
a  need  for  greater  coordination  between  military  and  non-military  organizations  to 
deploy  a  rapid  computer  counter-attack,  or  pre-emptive  attack.^'* 

In  July  2002,  the  U.S.  Naval  War  College  hosted  a  three-day  seminar-style  war 
game  called  “Digital  Pearl  Harbor^’.  The  objective  was  to  develop  a  scenario  for  a 
coordinated,  cross-industry,  cyber  terrorism  event  involving  mock  attacks  by 
computer  security  experts  against  critical  infrastructure  systems  in  a  simulation  of 
state-sponsored  cyber  warfare  attacks.  The  exercise  concluded  that  a  “Digital  Pearl 


Industrial  computers  sometimes  have  operating  requirements  that  differ  from  business  or 
office  computers.  For  example,  monitoring  a  chemical  process,  or  a  telephone  microwave 
tower  may  require  24-hour  continuous  availability  for  a  critical  industrial  computer.  Even 
though  industrial  systems  may  operate  using  COTS  software  (see  above),  it  may  be 
economically  difficult  to  justify  suspending  the  operation  of  an  industrial  SCADA  computer 
on  a  regular  basis  to  take  time  to  install  every  new  security  software  patch.  See  interview 
with  Michael  Vatis,  director  of  the  Institute  for  Security  Technology  Studies  related  to 
counterterrorism  and  cyber  security.  Sharon  Gaudin,  July  19, 2002,  Security  Expter:  U.S. 
Companies  Unprepared  for  Cyber  Terror ,  Datamation, 
|http;//itmanagement.earthweb.coni/secu/article.php/1429851]. 

Scott  Nance,  April  7, 2003,  Debunking  Fears:  Exercise  Finds  Digital  Pearl  Harbor’ 
Risk  Small,  Defense  Week,  lhttp;//www.kingpublishmg.com/publications/dw/]. 

Christopher  Casteilli,  2002,  DOD  and  Thailand  Run  Classified  ‘Eligible  Receiver  ’Info- 
War  Exercise,  Defense  Information  and  Electronics  Report,  Vol.  77,  No.  44. 

^  Janu^  9,  2003,  Briefing  on  “Eligible  Receiver  2003”  by  DOD  staff  for  the 
Congressional  Research  Service. 
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Harbor”  in  the  United  States  was  only  a  small  possibility.  However,  a  survey  of  war 
game  participants  after  the  exercise  indicated  that  79  percent  believed  that  a  strategic 
cyber  attack  is  likely  within  the  next  2  years.^^ 

The  U.S.  Naval  War  College  simulation  showed  that  cyber  attacks  directed 
against  SCADA  systems  controlling  the  electric  power  grid  were  only  able  to  cause 
disruption  equivalent  to  a  temporary  power  outage  that  consumers  normally 
experience.  Simulated  attempts  to  cripple  the  telecommunications  systems  were 
determined  to  be  unsuccessful  because  system  redundancy  would  prevent  damage 
from  becoming  too  widespread.  The  computer  systems  that  appeared  to  be  most 
vulnerable  to  simulated  cyber  attacks  were  the  Internet  itself,  and  systems  that  are 
part  of  the  financial  infrastructure.^® 

Capabilities  for  Cyber  Attack 

Stealth  and  pre-operational  surveillance  are  important  characteristics  known  to 
precede  a  computer  attack  launched  by  hackers.  Similar  characteristics  have  also 
been  described  as  a  “hallmark”  of  some  previous  A1  Qaeda  physical  terrorist  attacks 
and  bombings  (see  Appendices  A  and  C).^’ 


The  simulation  involved  more  than  100  participants.  Gartner,  Inc.,  July,  2002, 
Cyberattacks:  The  Results  of  the  Gartner/U.S.  Naval  War  College  Simulation, 
|http://www3.gartner.com/2_events/audioconferences/dph/dph.html.]  War  game 
participants  were  divided  into  cells,  and  devised  attacks  against  the  electrical  power  grid, 
telecommunications  infrastructure,  the  Internet  and  the  financial  services  sector.  It  was 
determined  that  “peer-to-peer  networking”,  a  special  method  of  communicating  where 
every  PC  used  commonly  available  software  to  act  as  both  a  server  and  a  client,  posed  a 
potentially  critical  threat  to  the  Internet  itself.  William  Jackson,  August  23,  2002,  War 
College  Calls  Digital  Pearl  Harbor  Doable,  Government  Computer  News, 
[http;//www.gcn.com/voll_nol/daily-updates/19792-l.html.] 

^  At  the  annual  conference  of  the  Center  for  Conflict  Studies,  Phil  Williams,  Director  of 
the  Program  on  Terrorism  and  Trans-National  Crime  and  the  University  of  Pittsburgh,  said 
an  attack  on  the  global  financial  system  would  likely  focus  on  key  nodes  in  the  U.S. 
financial  infrastructure:  Fedwire  and  Fednet.  Fedwire  is  the  financial  funds  transfer  system 
that  exchanges  money  among  U.S.  banks,  while  Fednet  is  the  electronic  network  that 
handles  the  transactions.  The  system  has  one  primary  installation  and  three  backups.  “You 
can  find  out  on  the  Internet  where  the  backups  are.  If  those  could  be  taken  out  by  a  mix  of 
cyber  and  physical  activities,  the  U.S.  economy  would  basically  come  to  a  halt,”  Williams 
said.  “If  the  takedown  were  to  include  the  international  funds  transfer  networks  CHIPS  and 
SWIFT  then  the  entire  global  economy  could  be  thrown  into  chaos.”  George  Butters, 
October  10,  2003,  Expect  terrorist  attacks  on  Global  Financial  System, 
[http://www.theregister.co.uk/content/55/33269.html] 

”  The  success  of  the  Vehicle  Borne  Improvised  Explosive  Devices  (VBIEDs)  used  in  the 
May  11,  2003  terrorist  attacks  in  Riyadh,  veiy  likely  depended  on  extensive  advance 
surveillance  of  the  multiple  targets.  Protective  measures  against  such  attacks  rely  largely  on 
watching  for  signs  of  this  pre-operational  surveillance.  Gaiy  Harter,  May  1 5, 2003 ,  Potential 
Indicators  of  Threats  Involving  VBIEDs,  Homeland  Security  Bulletin,  Bfisk  Assessment 
Division,  Information  Analysis  Directorate,  DHS. 
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Laxinching  a  coordinated  or  widespread  attack  against  critical  infrastructure 
computers  may  call  for  significant  resources  to  develop  Ae  required  set  oftechnically 
sophisticated  hacker  tools,  and  to  also  conduct  fte  necessary  pre-operational 
surveillance.  It  has  been  estimated  that  advanced  structured  cyber  attacks  against 
multiple  systems  and  networks,  including  target  surveillance  and  creation  and  testing 
of  new  hacker  tools,  may  require  2  to  4  years  of  preparation,  \\4iile  a  complex 
coordinated  cyber  attack  causing  mass  disruption  against  integrated,  heterogeneous 
systems  may  require  6  to  10  years  or  preparation.^* 

Terrorist  Organizations.  A  report  by  The  Center  for  the  Study  of  Terrorism 
and  Irregular  Warfare  at  the  Naval  Postgraduate  School  concluded  that  the  barrier  to 
entry  for  widespread  and  severe  computer  attacks  is  quite  high  and  that  terrorist 
groups  currently  lack  the  capability  to  mount  a  meaningful  operation.  The  report  also 
concluded  that  it  is  more  likely  that  less  severe  computer  attacks  will  be  used  in  the 
future  to  supplement  physical  terrorist  attacks.*® 

At  a  conference  of  terrorism  experts  held  in  Paris  in  May  2000,  participants 
analyzed  the  decision-making  processes  of  terrorist  organizations,  and  concluded  that 
information  technology  would  most  likely  not  be  used  to  cause  events  of  mass 
disruption.  They  stated  that  terrorist  organizations  would  likely  select  their  targets 
carefully  and  limit  the  effects  of  an  attack.'*® 

Some  news  sources  have  reported  that  A1  Qaeda  operatives  are  not  currently 
involved  with  high-technology.  Many  captured  computers  contain  files  that  are  not 
encrypted,  or  that  use  encryption  that  is  easily  broken,  and  many  of  A1  Qaeda’s 
“codes”  consist  of  simple  word  substitutions,  or  flowery  Arabic  phrases.  However, 
Osama  Bin  Laden  has  reportedly  has  taken  steps  to  improve  organizational  secrecy 
through  more  clever  use  of  technology.'" 

Several  experts  have  also  observed  that  A1  Qaeda  and  other  terrorist 
organizations  may  begin  to  change  their  use  of  computer  technology: 

!  seized  computers  belonging  to  A1  Qaeda  indicate  its  members  are 
now  becoming  familiar  with  hacker  tools  that  are  freely  available 
over  the  Internet; 


Dorothy  Denning,  2002,  Levels  of  Cyberterror  Capability:  Terrorists  and  the  Internet, 
presentation, 

[http://www.cs.georgetown.edu/~denning/infosec/Denning-Cyberterror-SRI.ppt] 

Report  was  published  in  1999,  and  is  available  at 
[http  ://www.nps  .navy.mil/ctiw/reports/j . 

®  David  Tucker,  September,  2000,  The  Future  of  Armed  Resistance:  Cyberterror?  Mass 
Destruction?,  report  on  conference  held  at  the  University  Pantheon-Assas,  Paris,  May  15-17, 
2000,  [http://www.nps.navy.mil/ctiw/files/substate_conflict_dynamics.pdf .] 

““  David  Kaplan,  June  2,  2003,  Playing  Offense:  The  inside  story  of  how  U.S.  terrorist 
hunters  are  going  after  Al  Qaeda,  U.S.  News  &  World  Report,  pp.  19-29. 

Richard  Clarke,  April  2003,  Vulnerability:  What  are  Al  Qaeda ’s  Capabilities?  PBS 

(continued...) 
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!  as  computer-literate  youth  increasingly  join  the  ranks  of  terrorist 
groups,  what  may  be  considered  radical  today  will  become 
increasingly  more  mainstream  in  the  future; 

!  a  computer-literate  leader  may  bring  increased  awareness  of  the 
advantages  of  an  attack  on  information  systems  that  are  critical  to  an 
adversary,  and  will  be  more  receptive  to  suggestions  from  other, 
newer  computer-literate  members; 

!  once  a  new  tactic  has  won  widespread  media  attention,  it  likely  will 
motivate  other  rival  groups  to  follow  along  the  new  pathway;  and, 

!  potentially  serious  computer  attacks  may  be  first  developed  and 
tested  by  terrorist  groups  using  small,  isolated  laboratory  networks, 
thus  avoiding  detection  of  any  preparation  before  launching  a 
widespread  attack.'*^ 

Members  of  A1  Qaeda  and  other  terrorist  groups  have  a  record  of  using 
computer  networks  in  planning  terrorist  acts.  Evidence  suggests  that  terrorists  used 
the  Ihtemet  to  plan  their  operations  for  September  1 1 , 2001 .  Mouhammed  Atta,  the 
leader  of  the  attacks,  made  his  air  ticket  reservations  online,  and  A1  Qaeda  cells 
reportedly  were  using  Internet-based  telephone  services  to  communicate  with  other 
cells  overseas,'*^  Khalid  Shaikh  Mohammed,  mastermind  of  the  attacks  against  the 
World  Trade  Center,  reportedly  used  Internet  chat  software  to  communicate  with  at 
least  two  airline  hijackers."’^  International  terrorist  groups,  including  A1  Qaeda,  are 
also  known  to  use  advances  in  technolo©^  such  as  optoelectronics  (such  as  military 
night-vision  devices),  special  communications  equipment,  GPS  systems,  and  other 
electronic  equipment,  according  to  DHS  officials.  DHS  Homeland  Security  Bulletins 
advise  tiiat  many  terrorists  may  now  have  access  to  very  expensive  high  technology 
equipment. 

Other  news  reports  have  indicated  that  some  terrorist  organizations  are 
becoming  increasingly  familiar  with  stronger  encryption.  Ramzi  Yousef,  recently 
sentenced  to  life  imprisonment  for  helping  to  bomb  the  World  Trade  Center,  had 


(...continued) 

Frontline;  Cyberwar,  [hth)://www.pbs.org]. 

Jerrold  M.  Post,  Kevin  G.  Ruby,  and  Eric  D.  Shaw,  Summer  2000,  From  Car  Bombs  to 
Logic  Bombs:  The  Growing  Threat  From  Information  Terrorism,  Terrorism  and  Political 
Violence,  VoI.12,  No.2,  pp.97-122. 

Networking  technologies,  such  as  the  Internet,  are  advantageous  for  attackers  who  are 
geographically  dispersed.  Networking  supports  redundancy  within  an  organization,  and  it 
suggests  the  use  of  swarming  tactics,  new  weapons,  and  other  new  strategies  for  conducting 
conflict  that  show  advantages  over  traditional  government  hierarchies.  Inflexibility  is  a 
major  disadvantage  when  a  hierarchy  confronts  a  networked  organization.  Networks  blend 
offensive  and  defensive  functions,  while  hierarchies  struggle  with  allocating  responsibility 
for  either.  John  Arquilla,  David  Ronfeldt,  2001,  Networks  and  Netwars,  Rand,  Santa 
Monica,  California,  p.285. 

Audrey  Cronin,  2003,  Behind  the  Curve,  Globalization  and  International  Terrorism,  pre¬ 
publication  draft. 

Robert  Windrem,  September  21,  2003,  9/11  Detainee:  Attack  Scaled  Back, 
[http://www.msnbc.com/news/969759.asp.] 
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trained  as  an  electrical  engineer,  and  had  planned  to  use  sophisticated  electronics  to 
detonate  bombs  on  12  U.S.  airliners  departing  from  Asia  for  the  United  States.  He 
also  used  sophisticated  encryption  to  protect  his  data  and  to  prevent  law  enforcement 
from  reading  his  plans  should  he  be  captured.'^’ 

The  PBS  television  news  program,  Frontline,  reported  in  April  2003  that  a 
computer  captured  in  Afghanistan,  belonging  to  A1  Qaeda,  contained  models  of  dams 
and  computer  programs  that  analyze  them.  The  implication  was  that  A1  Qaeda  may 
be  using  computer  technology  to  aid  in  a  future  terrorist  attack.  It  was  not  made  clear 
v^ether  a  possible  future  attack  might  be  done  through  the  Internet  or  target  the 
computer  facilities  that  control  the  dams.  Some  observers  also  believe  that  terrorist 
groups  that  operate  in  post-industrial  societies,  such  as  Europe  and  the  United  States, 
may  be  more  likely  to  consider  and  employ  computer  attack  and  cyber  terrorism  than 
groups  operating  in  developing  regions  with  limited  technological  penetration. 

Terrorist-Sponsoring  Nations.  The  US.  Department  of  State  lists 
seven  designated  state  sponsors  of  terrorism  in  2002:  Cuba,  Iran,  Iraq,  Libya,  North 
Korea,  Syria,  and  Sudan.'’®  These  countries  are  identified  as  sponsors  for  funding, 
weapons,  and  other  materials  for  planning  and  conducting  operations  by  terrorist 
groups.  Elements  in  Iran  are  believed  by  some  observers  to  have  close  links  with  A1 
Qaeda,  and  North  Korea  has  continued  to  sell  we^ons  and  high-technology  items 
to  other  countries  designated  as  state  sponsors  of  terrorism.  However,  it  should  be 
pointed  out  that  a  study  of  trends  in  Internet  attacks  determined  that  countries  on  the 
Department  of  State  list  generated  less  than  one  percent  of  all  reported  cyber  attacks 
directed  against  selected  businesses  in  2002.'*® 

News  sources  have  reported  that,  other  than  a  few  Web  site  defacements,  there 
was  no  evidence  that  a  computer  attack  was  launched  by  Iraq  or  by  terrorist 
organizations  against  United  States  military  forces  during  Gulf  War  The  security 
research  organization,  C4I.org,  reported  that  prior  to  the  March  2003  deployment  of 
U.S.  troops,  traffic  increased  from  Web  surfers  in  Iraq  using  search  terms  such  as, 
“Computer  warfare,”  “NASA  computer  network,”  and  “airborne  computer.”  Experts 
interpreted  the  increased  Web  traffic  as  an  indication  that  fraq’s  government  was 
increasingly  relying  on  the  Internet  for  intelligence  gathering.*’ 

Other  news  sources  have  reported  recent  statements  made  by  Major  General 
Song  Young-geun,  head  of  the  Defense  Security  Command  of  South  Korea,  claiming 
that  North  Korea  may  currently  be  training  more  than  1 00  new  computer  hackers  per 


Ibid.  p.  109. 

U.S.  Department  of  State,  April  30, 2003, 2002  Patterns  of  Global  Terrorism  Report. 

Riptech  Internet  Security  Threat  Report,  Attack  Trends  for  Q1  and  Q2  2002, 
[http://www.securitystats.eom/reports/Riptech-Intemet_Security_Threat_Report_vII.200 
20708.pdf]  (Riptech  has  recently  been  purchased  by  Symantec,  hic.) 

“  Kim  Zetter,  May  2003,  Faux  Cyberwar,  Computer  Security,  Vol.6,  No.5,  p.22. 

Brian  McWilliams,  May  22,  2003,  Iraq’s  Crash  Course  in  Cyberwar,  Wired  News, 
[http  ://www.  wired.com/news/print/0, 1 294,5 8901 ,00.html] . 
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year.^^  Pentagon  and  State  Department  officials  reportedly  are  unable  to  confirm  the 
claims  made  by  South  Korea,  and  defense  experts  reportedly  believe  that  North 
Korea  is  incapable  of  seriously  disrupting  U.S.  military  computer  systems.  Also, 
Department  of  State  officials  have  reportedly  said  that  North  Korea  is  not  known  to 
have  sponsored  any  terrorist  acts  since  1987.  However,  computer  programmers  from 
the  Pyongyang  Informatics  Center  in  North  Korea  have  done  contract  work  to 
develop  software  for  local  governments  and  businesses  in  Japan  and  Soufti  Korea. 
And  other  security  experts  reportedly  believe  that  North  Korea  may  have  also 
developed  a  considerable  capability  for  cyber  warfare,  partly  in  response  to  South 
Korea’s  admitted  build  up  of  177  computer  training  centers  and  its  expanding 
defense  budget  targeted  at  projects  to  prepare  for  information  warfare. 

Possible  Links  Between  Hackers  and  Terrorists 

Hacker  groups  are  numerous,  and  have  differing  levels  of  technical  skill. 
Membership  in  highly-skilled  hacker  groups  may  be  exclusive,  and  limited  only  to 
individuals  who  develop  and  share  their  own  closely-guarded  set  of  sophisticated 
hacker  tools.  These  exclusive  hacker  groups  are  more  likely  to  not  seek  attention 
because  secrecy  allows  them  to  be  more  effective. 

Some  hacker  groups  may  be  globally  dispersed,  wifti  political  interests  that  are 
supra-national,  or  based  on  religion  or  other  socio-political  ideologies.  Other  groups 
may  be  motivated  by  profit,  or  linked  to  organized  crime,  and  may  be  willing  to  sell 
their  computer  skills  to  a  sponsor,  such  as  a  nation  state  or  a  terrorist  group, 
regardless  of  the  political  interests  involved.  For  instance,  it  has  been  reported  that 
the  Indian  separatist  group,  Harkat-ul-Ansar,  attempted  to  purchase  military  software 
from  hackers  in  late  1998.  In  March  2000,  it  was  reported  that  the  Aum  Shinrikyo 
cult  organization  had  contracted  to  write  software  for  up  to  80  Japanese  companies, 
and  10  government  agencies,  including  Japan’s  Metropolitan  police  department; 
however,  there  were  no  reported  computer  attacks  related  to  these  contracts.^ 

Linkages  between  hackers,  terrorists,  and  terrorist-sponsoring  nations  may  be 
difficult  to  confirm,  but  cyber  terror  activity  may  possibly  be  detected  through  careful 
monitoring  of  network  chat  areas  where  hackers  sometimes  meet  anonymously  to 
exchange  information.  The  Defense  Advanced  Research  Proj  ects  Agency  (DARPA) 
has  conducted  research  and  development  for  systems,  such  as  the  former  Terrorism 


The  civilian  population  of  North  Korea  is  reported  to  have  a  sparse  number  of  computers, 
with  only  a  few  locations  offering  connections  to  the  Internet,  while  South  Korea  is  one  of 
the  most  densely-wired  countries  in  the  world,  with  70  percent  of  all  households  having 
broadband  Internet  access.  Dining  the  recent  global  attack  involving  the  “Slammer” 
computer  worm,  many  Internet  service  providers  in  North  Korea  were  severely  affected. 
Miami  Herald  Online,  May  16,  2003,  North  Korea  May  be  Training  Hackers, 
[http://www.miami.com/mld/miamiherald/news/world/5877291.htm]. 

”  Brian  McWilliams,  June  2, 2003,  North  Korea ’s  School  for  Hackers,  Wired  News.com, 
[http://www.wired.com/news/conflict/0,2100,59043,00.html]. 

Dorothy  Denning,  August  24,  2000,  Cyber  terrorism, 

[http://www.cs.georgetown.edu/~denning/mfosec/cyberterror-GD.doc]. 
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Information  Awareness  Program,^^  that  are  intended  to  help  investigators  discover 
covert  linkages  among  people,  places,  things,  and  events  related  to  possible  terrorist 
activity  (see  below  for  privacy  issues). 


Issues  for  Congress 

Issues  linked  to  a  DOD  Response  to  Cyber  Terrorism 

In  February  2003,  the  administration  published  a  report  titled,  the  “National 
Strategy  to  Secure  Cyberspace”,  that  makes  clear  that  the  U.S.  government  reserves 
the  right  to  respond  “in  an  appropriate  manner”  if  the  United  States  comes  under 
computer  attack.  This  response  could  involve  the  use  of  U.S.  cyber  weapons,  or 
malicious  code  designed  to  attack  and  disrupt  the  targeted  computer  systems  of  an 
adversary. 

Guidance  for  DOD.  The  Bush  administration  announced  plans,  in  February, 
2003,  to  develop  national-level  guidance  for  determining  vdien  and  how  the  United 
States  would  launch  computer  network  attacks  against  foreign  adversary  computer 
systems.^®  However,  any  U.S.  response  against  a  cyber  attack  must  be  carefully 
weighed  to  avoid  mistakes  in  retaliation,  or  other  possible  unintended  outcomes. 

A  potential  issue  for  Congress  is  that  any  response  intended  by  U.S.  forces  as 
retaliation  may  be  labeled  by  others  as  an  unprovoked  first  strike  against  the  targeted 
terrorist  group.  Similarly,  any  U.S.  attempt  to  suddenly  or  greatly  increase 
surveillance  via  use  of  computer  programs  may  be  labeled  as  an  unprovoked  attack 
against  a  terrorist  group.  Options  for  a  cyber  response  from  the  United  States  may  be 
limited  because  there  will  likely  be  difficulty  in  determining,  with  a  high  degree  of 
certainly,  or  in  a  timely  manner,  if  a  terrorist  group  is  responsible  for  a  cyber  attack 
against  the  United  States.  For  example,  any  identifiable  source  of  a  computer  attack 
might  have  previously  had  its  own  computers  taken  over  by  an  intruder.  Thus,  a 
terrorist  group  could  possibly  be  set  up  by  others  to  appear  as  the  guilty  cyber  attacker 
in  order  to  draw  attention  away  from  the  actual  attacker  who  may  be  located 
elsewhere. 


’’  Fimding  for  the  controversial  Terrorism  Information  Awareness  program  has  ended  for 
2004.  The  prototype  system  was  formerly  housed  within  the  DARPA  Information 
Awareness  Office.  Several  related  data  mining  research  and  development  programs,  now 
under  different  agencies,  are  designed  to  provide  better  advance  information  about  terrorist 
planning  and  preparation  activities  to  prevent  future  international  terrorist  attacks  against 
the  United  States  at  home  or  abroad.  A  goal  of  data  mining  is  to  treat  worldwide  distributed 
database  information  as  if  it  were  housed  within  one  centralized  database.  Report  to 
Congress  Regarding  the  Terrorism  Information  Awareness  Program,  Executive  Summary, 
May  20  2003,  p.l. 

^  The  guidance,  known  as  National  Security  Presidential  Directive  16,  was  signed  in  July 
2002,  and  is  intended  to  clarify  circumstances  under  which  an  information  warfare  attack 
by  DOD  would  be  justified,  and  who  has  authority  to  launch  a  computer  attack. 
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U.S.  Use  of  Cyber  Weapons.  If  the  United  States  should  officially  choose 
to  use  DOD  cyber  weapons  to  retaliate  against  a  terrorist  group,  would  that  possibly 
encourage  others  to  then  start  launching  cyber  attacks  against  the  United  States?  If 
a  terrorist  group  should  subsequently  copy,  or  reverse-engineer  a  destructive  U.S. 
military  computer  attack  program,  would  they  use  it  against  other  countries  that  are 
U.S.  allies,  or  even  turn  it  back  against  civilian  computer  systems  in  the  United 
States?^^ 

The  use  of  cyber  weapons,  if  the  effects  are  widespread  and  severe,  could 
arguably  exceed  the  customary  rules  of  military  conflict,  also  known  as  the 
international  laws  of  war.^®  The  resulting  effects  of  offensive  cyber  weapons  for 
information  warfare  operations  may  be  difficult  to  limit  or  control.  If  a  computer 
attack  program  is  targeted  against  terrorist  groups  or  enemy  military  computer 
systems,  there  is  a  possibility  that  the  malicious  code  might  inadvertently  spread 
throughout  the  Internet  to  severely  affect  or  shut  down  critical  infrastructure  systems 
in  other  non-combatant  countries,  including  perhaps  computers  operated  by  U.S. 
friends  and  allies,  or  other  U.S.  interests.  Critical  civilian  computer  systems  within 
the  country  hosting  the  terrorist  group  may  also  be  adversely  affected  by  a  DOD  cyber 
attack  against  the  terrorists’  computers. 

In  a  meeting  held  in  January  2003 ,  at  the  Massachusetts  Institute  of  Technology, 
White  House  officials  sought  input  from  experts  outside  government  on  guidelines  for 
U.S.  use  of  cyber  weapons.  Officials  have  stated  they  are  proceeding  cautiously, 
because  a  U.S.  cyber  attack  against  terrorist  groups  or  other  adversaries  could  have 
serious  cascading  effects,  perh^s  causing  major  disruption  to  civilian  systems  in 
addition  to  the  intended  computer  targets.®^ 

Privacy 

Another  potential  issue  for  Congress  concerns  how  to  balance  the  need  for 
terrorism  awareness  against  the  need  to  protect  individual  privacy.  A  factor  limiting 
the  ability  to  analyze  the  cyber  capabilities  of  terrorist  groups  is  a  lack  of  data  related 
to  computer  activity  that  can  be  traced  back  to  those  groups.  A  terrorist  group  that  is 
currently  lacking  the  technical  skills  needed  to  sc^  for  vulnerabilities  and  launch  a 
computer-based  attack  may  possibly  gain  access  to  additional  resources  through 


’’  See  CRS  Report  RL31787,  Information  Warfare  and  Cyberwar:  Capabilities  and 
Related  Policy  Issues,  by  Clay  Wilson. 

The  laws  of  war  are  international  rules  that  have  evolved  to  resolve  practical  problems 
relating  to  military  conflict,  such  as  restraints  to  prevent  misbehavior  or  atrocities,  and  have 
not  been  legislated  by  an  overarching  central  authority.  The  United  States  is  party  to  various 
limiting  treaties.  For  example,  innocent  civilians  are  protected  during  war  under  the 
Convention  on  Prohibitions  or  Restrictions  on  the  Use  of  Certain  Conventional  Weapons 
Which  May  Be  Deemed  to  be  Excessively  hyiuious  or  to  have  Indiscriminate  Effects. 
Sometimes  the  introduction  of  new  technology  tends  to  force  changes  in  the  xmderstanding 
of  the  laws  of  war.  Gary  Anderson  and  Adam  Gifford,  Order  Out  of  Anarchy:  The 
International  Law  of  War.  The  Cato  Journal,  vol.  15,  no.  1,  p.25-36. 

Bradley  Graham,  Bush  Orders  Guidelines for  Cyber-Warfare, ^ss\imgXon  Post,  February 
7,2003,  Section  A,  p.l. 
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forming  a  link  with  hacker  criminals,  or  with  one  of  several  terrorist-sponsoring 
nation  states.  Data  mining  programs  such  as  the  former  Terrorism  Information 
Awareness  program,  and  the  new  Terrorist  Threat  Information  Center  (TTIC)  are 
intended  to  help  uncover  these  linkages.  However,  concerns  raised  about  possible  loss 
of  individual  privacy  through  investigation  of  domestic  databases  has  resulted  in 
restrictions  on  development  of  automated  tools  for  analysis  of  information. 

Terrorism  Information  Awareness  Program.  Funding  has  ended  for  the 
Terrorism  Information  Awareness  (TIA)  program  for  2004,  and  the  Information 
Awareness  Office,  a  branch  of  DA^A,  is  now  disbanded.®*  The  TIA  data  mining 
program  was  intended  to  sift  through  vast  quantities  of  citizens’  personal  data,  such 
as  credit  card  transactions  and  travel  bookings,  to  identify  possible  terrorist  activity 
to  provide  better  advance  information  about  terrorist  plaiming  and  preparation 
activities  to  prevent  future  international  terrorist  attacks  against  the  United  States  at 
home  or  abroad. 

However,  the  TIA  program  and  other  similar  proposals  for  domestic  surveillance 
raised  privacy  concerns  from  lawmakers,  advocacy  groups,  and  the  media.  Some 
privacy  advocates  have  objected  to  the  possibility  that  information  gathered  through 
domestic  surveillance  may  be  viewed  by  unauAorized  users,  or  even  misused  by 
authorized  users.  Congress  has  moved  to  restrict  or  eliminate  funding  for  the  TIA 
program  under  S.  1382  and  HR.  2658. 

S.  1382,  titled  the  Defense  Appropriations  Act  of  2004,  and  introduced  on 
7/9/2003  by  Senator  Ted  Stevens,  restricts  funding  and  deployment  of  the  TIA 
Program.  Section  8120  part  (a)  limits  use  of  funds  for  research  and  development 
of  the  TIA  Program,  stating  that  “no  funds  appropriated  or  otherwise  made 
available  to  the  Department  of  Defense,  vdiether  to  an  element  of  the  Defense 
Advanced  Research  Projects  Agency  or  any  odier  element,  or  to  any  other 
department,  agency,  or  element  of  the  Federal  Government,  may  be  obligated  or 
expended  on  research  and  development  on  the  Terrorism  Information  Awareness 
program.”  Section  8120  part  (b)  limits  deployment  of  HA  systems,  stating  that 
no  department  or  agency  of  the  Federal  Government  may  deploy  or  implement 
any  component  of  TIA,  until  the  Secretary  of  Defense  notifies  Congress  about 
the  intended  deployment  and  has  received  authorization  from  Congress. 

H.R.  2658,  titled  Defense  Appropriations  FY2004,  was  introduced  on  7/2/2003 
by  Representative  Jerry  Lewis,  and  requires  specific  authorization  by  law  from 
Congress  for  the  deployment  or  implementation  of  any  component  of  the  HA 
program,  if  research  and  development  facilitate  such  deployment  or 
implementation.  In  September,  under  section  8131,  and  in  House  Report  108- 
283,  House  and  Senate  conferees  agreed  to  end  funding  for  TLA  for  2004,  and  to 
disband  the  Information  Awareness  Office  (lAO)  of  DARPA.  However,  other 


“  House  and  Senate  conferees  voted  on  September  24  to  end  funding  for  TIA  through  2004. 
Steven  M.  Cherry,  September  29, 2003,  Controversial  Pentagon  Program  Scuttled,  But  Its 
Work  Will  Live  On,  IEEE  Spectrum  online,  [http://www.spectrum.ieee.org]. 
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DOD  programs  for  foreign  counterintelligence  under  the  CIA,  FBI  and  NS  A,  and 
severd  other  research  programs  formerly  within  the  lAO  are  continued.®' 

Other  Search  Technologies.  The  Department  of  Defense  is  currently 
reviewing  the  capabilities  of  other  data  mining  products  using  technology  that  may 
reduce  domestic  privacy  concerns  raised  by  TIA.  For  example.  Systems  Research  and 
Development,  a  technology  firm  based  in  Las  Vegas,  has  been  tasked  by  the  CIA  and 
other  agencies  to  develop  a  new  database  search  product  called  “Anonymous  Entity 
Resolution.”  The  technology  used  in  this  product  can  help  investigators  determine 
wliether  a  terrorist  suspect  appears  in  two  separate  databases,  without  revealing  any 
private  individual  information.  The  product  uses  encryption  to  ensure  that  even  if  the 
scrambled  records  are  intercepted,  no  private  information  can  be  extracted.  Thus, 
terrorism  watch  lists  and  corporate  databases  could  be  securely  compared  online, 
without  revealing  private  information.®^ 

The  Florida  police  department  has,  since  2001,  operated  a  counter  terrorism 
system  called  the  Multistate  Anti-Terrorism  Information  Exchange,  or  “Matrix”,  that 
helps  investigators  find  patterns  among  people  and  events  by  combining  police 
records  with  commercially  available  information  about  most  U.S.  adults.  Matrix 
includes  information  that  has  always  been  available  to  investigators,  but  adds 
extraordinary  processing  speed.  The  Justice  Department  has  provided  $4  million  to 
expand  the  Matrix  program  nationally.  DHS  has  pledged  $8  million  to  assist  with  the 
national  expansion,  and  has  also  announced  plans  to  launch  a  pilot  data-sharing 
network  that  will  include  Virginia,  Maryland,  Pennsylvania,  and  New  York.®^ 


®'  The  eight  programs  formerly  within  the  now  disbanded  LAO,  but  still  remaining  imder 
DARPA  are:  Bio-Event  Advanced  Leading  Indicator  Recognition  Technology  ($6.3M); 
Rapid  Analytical  Wargaming  ($7.5M);  Wargaming  the  Asymmetric  Environment  ($8.2M); 
and  five  projects  to  translate  and  analyze  spoken  and  written  natural  languages  -  TIDES, 
EARS,  and  GALE  ($46.3M),  and  Babylon  and  Symphony  ($10.9M).  Related  research  will 
also  continue  for  acoxmterintelligence  program  known  as  the  National  Foreign  Intelligence 
Program,  managed  jointly  by  the  CIA  FBI  and  NSA  The  budget  for  the  NFEP  is  classified. 
Steven  M.  Cherry,  September  29, 2003,  Controversial  Pentagon  Program  Scuttled,  But  Its 
Work  Will  Live  On,  IEEE  Spectrum  online,  [http://www.spectrum.ieee.org]. 

“  Pentagon  sources  familiar  with  the  “Anonymous  Entity  Resolution”  technology  have 
indicated  that  it  m^  alleviate  some  of  the  issues  associated  with  privacy  protection.  The 
product  uses  “entity-resolution  techniques”  to  scramble  data  for  security  reasons.  The 
software  sifts  through  data  such  as  names,  phone  niunbers,  addresses  and  iiiformation  from 
employers  to  identify  individuals  listed  under  different  names  in  separate  databases.  The 
software  can  find  information  by  comparing  records  in  multiple  databases,  however  the 
information  is  scrambled  using  a  “one-way  hash  function,”  which  converts  a  record  to  a 
character  string  that  serves  as  a  unique  identifier  like  a  fingerprint.  Persons  being 
investigated  remain  anonymous,  and  agents  can  isolate  particular  records  without  examining 
any  other  personal  information.  A  record  that  has  been  one-way  hashed  cannot  be  “un¬ 
hashed”  to  reveal  information  contained  in  the  original  record.  Steve  Mollman,  March  1 1 , 
2003,  Betting  on  Private  Data  Search,  Wired.com. 

®^  Robert  O’Harrow,  August  6  2003,  U.S.  Backs  Florida  ’sNew  Counterterrorism  Database, 
Washington  Post,  p.  AOl. 
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For  more  information  about  TIA,  data  mining  technology,  and  other  related 
privacy  issues,  see  CRS  Reports  RL31786,  RL31730,  RL31798,  or  RL31846. 

The  Roles  of  Government,  Industry,  and  Home  Users 

National  Director  for  Cyber  Security.  A  potential  issue  for  Congress  is 
vdiether  the  new  national  director  for  cyber  security  is  a  position  senior  enough  within 
DHS  to  elevate  concerns  about  cyber  security  to  an  appropriate  level,  relative  to  other 
concerns  about  physical  security.®^  Early  plans  for  naming  the  new  cyber  security 
director  were  seen  as  closely  guarded  by  the  administration,  causing  some  industry 
observers  to  express  concern  that  cyber  security  may  be  losing  visibility  within  the 
administration.®’  In  September  2003,  DHS  formally  announced  Amit  Yoran  as  new 
director  of  its  cyber  security  division,  with  responsibility  for  implementing 
recommendations  to  improve  national  (tyber  security. 

National  Strategy  to  Secure  Cyberspace.  Another  potential  issue  is 
v^ether  the  National  Strategy  to  Secure  Cyberspace  should  rely  on  voluntary  action 
on  the  part  of  private  firms,  home  users,  universities,  and  government  agencies  to  keep 
their  networks  secure,  or  vdiether  there  may  be  a  need  for  possible  regulation  to  ensure 
best  security  practices.  Some  security  eiqperts  believe  that  public  response  has  been 
slow  to  improve  computer  security  despite  warnings  about  possible  cyber  terrorism, 
partly  because  there  are  no  regulations  currently  imposed  by  the  National  Strategy  to 
Secure  Cyberspace.®®  Others  in  the  technology  industry,  however,  believe  that 
regulation  would  interfere  with  innovation  and  possibly  harm  U.S.  competitiveness. 


Commercial  Software  Vulnerabilities.  Another  issue  is  whether  software 
product  vendors  should  be  required  to  create  higher  quality  software  products  that  are 
more  secure  and  that  need  fewer  patches.  Software  vendors  may  increase  the  level  of 


^  The  DHS  cybersecurity  center  will  have  five  primary  roles:  conducting  cybersecurity 
research;  developing  performance  standards;  fostering  public-private  sector  commimication; 
supporting  the  DHS  information  analysis  and  infrastructure  protection  directorate;  and 
working  with  the  National  Science  Foundation  on  educational  programs.  CongressDailyAM, 
May  15, 2003. 

®’  The  Department  of  Homeland  Security  has  selected  Amit  Yoran,  formerly  vice  president 
for  Managed  Security  Services  at  Symantec  Corporation,  to  lead  the  agency’s  cyber-security 
division,  Caron  Carlson,  September  15,  2003,  Feds  Tap  Cyber  Security  Chief,  Computer 
Cops,  Pittp;//computercops.biz/article3 138.html.] 

®®  Business  executives  may  be  cautious  about  spending  for  large  new  technology  projects, 
such  as  placing  new  emphasis  on  computer  security.  Results  fi’om  a  February  2003  survey 
of  business  executives  indicated  fliat  45  percent  of  respondents  believed  that  many  large 
Information  Technology  (IT)  projects  are  often  too  expensive  to  justify.  Managers  in  the 
survey  pointed  to  the  estimated  $  1 25 .9  billion  dollars  spent  on  IT  proj  ects  between  1977  and 
2000  in  preparation  for  the  year  2000  (Y2K)  changeover,  now  viewed  by  some  as  a  non- 
event.  Sources  reported  that  some  board-level  executives  stated  that  flie  Y2K  problem  was 
overblown  and  over  funded  then,  and  as  a  result,  they  are  now  much  more  cautious  about 
future  spending  for  any  new,  massive  IT  initiatives.  Gary  H.  Anthes  and  Thomas  Hoffinan, 
May  12, 2003,  Tarnished  Image,  Computerworld,  Vol.  37,  No.  19,  p.  37. 
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security  for  their  products  by  rethinking  the  design,  or  by  adding  more  test  procedures 
during  product  development.  However,  some  vendors  reportedly  have  said  that  their 
customers  may  not  be  willing  to  pay  the  costs  for  additional  security,  and  that 
additional  testing  will  slow  the  innovation  process  and  possibly  reduce  U.S. 
competitiveness  in  the  global  software  market.®’ 

Awareness  and  Education.  Should  computer  security  training  be  offered 
to  all  computer  users  to  keep  them  aware  of  constantly  changing  computer  security 
threats,  and  to  encourage  them  to  follow  proper  seciuity  procedures  to  protect  against 
possible  cyber  attack?  One  type  of  cyber  attack,  known  as  “Denial  of  Service”,  has 
been  known  to  occur  vdien  thousands  of  individual  PCs  are  secretly  taken  over  by 
attack  programs,  and  then  directed  to  collectively  overpower  and  disable  one  or  more 
targeted  computers  located  elsevdiere  on  the  Internet.  Many  of  the  PCs  taken  over  by 
hackers  may  belong  to  individual  home  users  wiio  have  not  had  computer  security 
training,  but  who  may  currently  feel  no  motivation  to  voluntarily  participate  in  a 
training  program. 

Coordination  to  Protect  Against  Cyber  Terrorism 

Coordination  between  the  private  sector  and  government  requires  mutual 
confidence  about  any  information  they  exchange  on  computer  security 
vulnerabilities.®®  To  be  most  effective,  cyber  security  requires  sharing  of  information 
about  threats,  vulnerabilities,  and  exploits.  The  private  sector  wants  information  from 
the  government  on  specific  threats  which  die  government  may  currently  consider 
classified.  The  government  wants  specific  information  from  private  industry  about 
vulnerabilities  and  incidents  which  companies  say  they  want  to  protect  to  avoid 
publicity  and  to  guard  trade  secrets.  A  recent  GAO  survey  of  local  government 
officials  also  found diat  there  was  currently  no  process  for  effectively  sharing  state  and 
city  information  with  federal  agencies.  The  GAO  study  recommended  that  DHS 
strengthen  information  sharing  by  incorporating  states  and  cities  into  its  “enterprise 
architecture”  planning  process.®^ 

Information  Sharing.  A  potential  issue  for  Congress  is  vvfrether  to  protect 
from  public  disclosure  through  FOIA  any  vulnerability  information  that  is  voluntarily 
shared  between  private  companies  and  state,  local,  and  federal  government.  DHS,  in 
a  recent  notice  of  proposed  rule  making  (see 
[http://edocket.access.gpo.gOv/2003/03-9126.htm]),  indicated  that  technology  and 
telecommimications  companies  should  volvmtarily  submit  information  to  DHS 
vdienever  a  security  vulnerability  is  discovered  in  one  of  their  products.  DHS 


Building  in  more  security  adds  to  the  cost  of  a  software  product.  Now  that  software 
features  are  similar  across  brands,  software  vendors  have  indicated  that  their  customers, 
including  federal  government  agencies,  often  make  purchases  based  largely  on  product 
price.  NSA,  2001,  Conference  on  Software  Product  Security  Features,  Information 
Assurance  Technical  Information  Framework  Forum,,  Laurel,  Maryland. 

John  Moteff,  August  7,  2003,  Critical  Infrastructures:  Background,  Policy  and 
Implementation,  p.  CRS-28. 

®^  GAO,  August  2003 ,  Homeland  Security:  Efforts  To  Improve  Information  Sharing  Need 
to  Be  Strengthened,  GAO-03-760. 
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proposed  that  this  critical  infrastructure  information  should  be  protected  from 
unauthorized  disclosure.  However,  the  proposal  is  controversial  because  that 
protection  possibly  may  not  extend  to  requests  for  disclosure  under  FOIA,’®  and  also, 
conversely,  because  media  and  public  advocacy  groups  are  concerned  that  industries 
will  use  the  process  to  shield  information  that  might  otherwise  be  available  through 
FOIA. 

International  Issues.  Should  the  U.  S.  find  effective  ways  to  encourage  more 
international  cooperation  during  attempts  to  trace  and  identify  a  cyber  attacker?  As 
yet,  no  evidence  has  been  published  to  confirm  that  a  computer  attack  has  been 
launched  against  U.S.  critical  infrastructure  targets  for  terrorist  purposes,’’  but  the 
problem  may  be  masked  because  there  is  currently  no  reliable  way  to  determine  the 
origin  of  a  computer  attack.’’  Attackers  can  hide  details  of  their  true  location  by 
hopping  from  one  computer  system  to  another,  sometimes  taking  a  path  that  connects 
networks  and  computers  in  many  different  countries.  Pursuit  may  involve  atrace  back 
through  networks  requiring  the  cooperation  of  many  Internet  Service  Providers  located 
in  several  different  nations.  Pursuit  is  made  increasingly  complex  if  one  or  more  of 
the  nations  involved  has  a  legal  policy  or  political  ideology  that  conflicts  with  that  of 
the  United  States.” 

Another  potential  issue  is  whether  U.S.  national  security  may  be  threatened  by 
using  commercial  software  products  developed  in  foreign  countries.’"’  Commercial 
software  development  is  increasingly  outsourced  to  foreign  countries,  raising 
questions  about  possible  imbedded  vulnerabilities  created  by  foreign  programmers 
^o  may  sympathize  with  terrorist  objectives.  A  recent  study  by  Gartner  Inc.,  a 
technology  research  organization,  predicts  that  by  2004,  more  than  80  percent  of  U.S. 
companies  will  consider  outsourcing  critical  IT  services,  including  software 


™  Shawn  P.  McCarthy,  2003,  HDS  Should fix  a  Big  Weakness:  Spoofing,  Vol.  22,  no.  10, 
p.30,  [http://www.gcn.com]. 

In  May  1998,  U.S.  intelligence  officials  told  reporters  in  a  briefing  fliat  an  ethnic  group 
called  the  Tamil  Tigers,  a  guenilla  group  also  labeled  as  a  terrorist  organization,  attempted 
to  swamp  Sri  Lankan  embassies  with  electronic  mail.  Anthony  Townsend,  May  5, 1998, 
First  Cyberterrorist  Attack  Reported  by  U.S,  Reuters. 

”  Trace  back  to  identify  a  cyber  attacker  at  the  granular  level  remains  problematic. 
Dorothy  Denning,  Information  Warfare  and  Security,  Addison-Wesley,  1999.  p.217. 

”  In  Argentina,  a  group  calling  themselves  the  X-Team,  hacked  into  the  web  site  of  that 
coimtry’s  Supreme  Court  in  April  2002.  The  trial  judge  stated  that  the  law  in  his  country 
covers  crime  against  people,  things,  and  animals  but  not  web  sites.  The  group  on  trial  was 
declared  not  guilty  of  breaking  into  the  web  site.  Paul  Hillbeck,  Argentine  judge  rules  in 
favor  of  computer  hackers,  February  5, 2002, 

[http://www.siliconvalley.com/  mld/siliconvalley/news/editorial/3070194.htm]. 

”  In  2000,  news  sources  reported  that  the  Defense  Agency  of  Japan  halted  the  introduction 
of  a  new  computer  system  after  discovering  that  some  of  the  software  had  been  developed 
by  members  of  the  Aum  Shituikyo  cult,  which  was  responsible  for  the  fatal  1995  Tokyo 
subway  gas  attack.  The  Defense  Agency  was  one  of  90  government  agencies  and  industry 
firms  that  had  ordered  software  produced  by  the  cult.  Richard  Power,  2000,  Current  & 
Future  Danger:  A  CSI  Primer  on  Computer  Crime  and  Information  Warfare,  Computer 
Security  Institute. 
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development.  Corporations  justify  their  actions  by  saying  that  global  economic 
competition  makes  outsourcing  of  IT  projects  overseas  abusiness  necessity.  Oracle, 
a  major  database  software  vendor  and  a  supplier  to  U.S.  intelligence  agencies,  has  in 
the  past  contracted  for  software  development  in  India  and  China.  Terrorist  networks 
are  known  to  exist  in  other  countries  located  in  Southeast  Asia  where  some  contract 
work  has  been  outsourced,  such  as  Malaysia  and  Indonesia.  Other  possible  recipients 
of  outsourced  proj  ects  are  countries  such  as  Israel,  India,  Pakistan,  Russia  and  China. 


Options  for  Congress 


Privacy 

Congress  may  wish  to  consider  whether  more  research  should  be  encouraged  into 
database  search  technologies  that  provide  more  protection  for  individual  privacy  while 
helping  to  detect  terrorist  activities.  Pre-operative  surveillance  and  anonymous 
meetings  via  the  Internet  now  characterize  the  early  planning  stages  of  many  cyber 
attacks  launched  by  hackers.  A  cyber  terrorist  attack  may  possibly  involve  similar 
characteristics  during  the  planning  stage  that  may  be  detectable  before  the  attack  can 
be  launched. 

The  Roles  of  Government,  Industry,  and  Home  Users 

Another  issue  concerns  setting  standards  to  improve  national  computer  security. 
Some  observers  have  reportedly  stated  that  the  annual  Computer  Security  Institute 
(CSI)  computer  security  survey,  which  is  often  relied  upon  as  a  measure  of  current 
trends  in  computer  security  threats  and  vulnerabilities,  is  actually  limited  in  scope  and 
may  possibly  contain  statistical  bias.^®  This  has  led  to  suggestions  for  an  analysis  of 
costs  and  benefits  for  setting  standards  to  improve  computer  security,  aiming  towards 
a  more  carefully  designed  and  statistically  reliable  andysis  of  threats,  risks,  and  the 
costs  and  benefits  associated  with  alternate  policies  to  improve  cyber  security  by 
indicating  which  security  practices  are  most  effective  and  efficient. 

Another  issue  concerns  the  extent  to  which  public  officials  and  industry 
managers  should  be  held  responsible  for  their  performance  in  ensuring  cyber  security. 
Some  observers  reportedly  have  indicated  that  the  National  Strategy  to  Secure 
Cyberspace  currently  may  not  present  a  clear  link  between  security  obj  ectives  and  the 
incentives  required  to  help  achieve  those  objectives. 


’’  Dan  Verton,  May  5,  2003,  Offshore  Coding  Work  Raises  Security  Concerns, 
Computerworld,  Vol.37,No.l8,  p.  1. 

Respondents  to  the  CSI  survey  of  computer  security  issues  are  generally  limited  to  CSI 
members.  Recently,  CSI  has  conceded  weaknesses  in  its  analytical  approach  and  has 
suggested  that  its  siuvey  of  computer  security  vulnerabilities  and  incidents  may  be  more 
illustrative  than  systematic.  Bruce  Berkowitz  and  Robert  W.  Hahn,  Spring  2003, 
Cybersecurity:  Who ’s  Watching  the  Store?,  Issues  in  Science  and  Technology. 
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There  are  suggestions  to  examine  ways  to  provide  incentives  that  motivate  the 
software  industry  to  improve  the  security  and  quality  of  their  products  before  they  are 
released  for  purchase.’’  One  option  mentioned  would  include,  as  part  of  the 
requirement  for  tire  purchase  of  civilian  agency  software,  certification  under  the 
“Common  Criteria”’*  testing  program,  as  is  now  required  for  the  purchase  of  military 
software.  However,  industry  observers  point  out  that  the  certification  process  is 
lengthy,  and  may  interfere  with  innovation  and  competitiveness. 

Coordination  to  Protect  Against  Cyber  Terrorism 

Information  Sharing.  Another  issue  is  ^^ilether  voluntary  information  should 
be  shielded  from  disclosure  through  Freedom  of  Information  Act  requests.  Proponents 
argue  that  information  about  computer  security  threats  and  vulnerabilities,  if  shared 
more  effectively,  could  help  both  industry  and  government  systematically  reduce 
cyber  security  vulnerabilities,  and  identify  attempted  cyber  terrorism  activity. 
However,  many  firms  are  reluctant  to  share  this  important  information  with 
government  agencies  because  of  the  possibility  of  having  competitors  become  aware 
of  a  company’s  security  vulnerabilities. 

S.  609  -  This  legislation  proposes  to  reduce  the  number  of  categories  for 
exemptions  to  FOIA  now  proposed  under  Section  2 1 4  of  the  Homeland  Security 
Act,  because  of  concerns  about  limitations  to  freedom  of  the  press.  The  bill  was 
referred  to  Committee  on  the  Judiciary  on  March  12, 2003. 

Education  and  Incentives.  Many  of  the  same  vulnerabilities  that  affect 
government  and  corporate  computers,  requiring  systems  administrators  to  install 
software  patches,  also  affect  computers  belonging  to  millions  of  home  PC  users.’® 
Congress  may  wish  to  examine  ways  to  provide  education,  such  as  public  awareness 


”  In  the  wake  of  widespread  attacks  by  Internet  worms,  Microsoft  is  weighing  options  to 
get  more  users  to  secure  their  computers,  including  automatically  applying  security  patches 
to  PCs  remotely.  Joris  Evers,  August  22,  2003,  Microsoft  Ponders  Automatic  Patching, 
NetworkWorldFusion,  [http://www.nwftision.eom/news/2003/0822mspatch.html]. 

Agencies  operating  national  security  systems  are  required  to  purchase  software  products 
from  a  list  of  lab-tested  and  evaluated  products  in  a  program  run  by  the  National  Information 
Assurance  Partnership  (NIAP),  a  joint  partnership  between  the  National  Security  Agency 
and  the  National  Institute  of  Standards  and  Technology.  The  NIAP  is  the  U.S.  government 
organization  that  works  in  parallel  to  similar  organizations  in  a  dozen  other  coimtries  around 
the  world  which  have  endorsed  the  international  security-evaluation  regimen  known  as  the 
“Common  Criteria.”  The  program  requires  vendors  to  submit  software  for  review  in  an 
accredited  lab,  a  process  that  often  takes  a  year  and  costs  several  thousand  dollars.  The 
review  previously  was  limited  to  military  national  security  software,  however,  the 
administration  has  stated  that  the  govenunent  will  undertake  a  review  of  the  program  in 
2003  to  “possibly  extend”  it  as  a  requirement  for  civilian  agencies.  Ellen  Messmer, 
February  14, 2003,  White  House  issue  ‘National  Strategy  to  Secure  Cyberspace  Network 
World  Fusion,  [http://www.nwftision.eom/news/2003/0214ntlstrategy.html]. 

A  spokesperson  for  the  Computer  Emergency  Response  Team  at  Carnegie  Mellon  has 
reportedly  stated  that  most  people  may  not  yet  realize  that  anti-virus  software  and  a  firewall 
are  no  longer  enough  to  protect  computers  anymore.  Charles  Duhigg,  August  28  2003,  Fight 
Against  Viruses  Mty  Move  to  Servers,  Washington  Post,  p.EOl. 
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messages  about  computer  security,  or  provide  other  incentives  to  encourage  home  PC 
users  to  follow  the  best  security  practices. 


Legislative  Activity 

The  Cyber  Security  Research  and  Development  Act  (P.L.  107-305),  authori2ed 
$903  million  over  five  years  for  new  research  and  training  programs  by  the  National 
Science  Foundation  and  NIST  to  prevent  and  respond  to  terrorist  attacks  on  private 
and  government  computers.  The  House  Science  Committee  also  held  a  hearing  on 
May  14,  2003  on  Cybersecurity  Research  and  Development,  with  testimony  by  the 
DHS  Under  Secretary  for  Science  and  Technology.  A  $5  million  budget  allocation 
is  currently  set  aside  for  Information  Technology  R&D. 

The  Subcommittee  on  Cybersecurity,  Science,  and  Research  &  Development  of 
the  House  Select  Committee  on  Homeland  Security  also  held  a  series  of  hearings  on 
cyber  security  issues  during  the  summer  of 2003 .  Tlie  series  was  intended  to  (1 )  raise 
awareness  among  members  of  Congress  about  cyber  security  risks,  (2)  examine  the 
views  of  security  experts  on  the  state  of  security  for  the  critical  infrastructure,  (3) 
present  the  views  of  industry  experts  on  how  DHS  might  best  help  resolve  cyber 
security  issues,  and  (4)  provide  an  opportunity  for  DHS  officials  to  respond  to 
questions  raised  in  the  preceding  three  hearings.  On  October  1,  2003,  the 
Subcommittee  also  held  an  executive  session  oversight  hearing  titled,  “Security  of 
Industrial  Control  Systems  in  Our  Nation’s  Critical  Infrastructure”  with  testimony 
provided  by  government  agencies  and  by  experts  on  industrial  computer  systems. 

Following  the  September  11,  2001  attacks,  the  Federal  Information  Security 
Management  Act  (FISMA)  of  2002  was  enacted  giving  responsibility  for  setting 
security  standards  for  civilian  federal  agency  computer  systems  to  the  Office  of 
Management  and  Budget  (OMB).*°  Responsibility  for  security  standards  for  national 
defense  systems  remains  primarily  with  DOD  and  NSA. 

The  following  bills  identify  recent  legislative  activity  that  is  related  to  prevention 
of  cyber  terrorism,  or  related  to  collection  of  information  on  possible  terrorist 
activities. 

1.  S.  6  -  proposes  that  information  about  vulnerabilities  and  threats  to  the 
critical  infrastructure  that  is  furnished  voluntarily  to  the  DHS  shall  not  be 
made  available  either  to  the  public  or  other  federal  agencies  xmder  the 
Freedom  of  Information  Act.  This  bill  was  referred  to  Committee  on  the 
Judiciaiy  on  January  7, 2003. 


Under  FISMA,  the  Director  of  0MB  (1)  oversees  the  implementation  of  information 
security  policies  for  civilian  federal  agencies,  (2)  requires  agencies  to  identify  and  provide 
information  security  protection  appropriate  for  the  level  of  risk  and  magnitude  of  harm 
resulting  from  possible  destruction  of  information  or  systems,  and  (3)  coordinates  the 
development  of  security  standards  and  guidelines  developed  between  NIST,  NSA,  and  other 
agencies  to  assure  they  are  complementary  with  standards  and  guidelines  developed  for 
national  security  systems.  See  44  U.S.C.,  Section  3543  (a). 
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2.  S.  187  -  proposes  to  eliminate  FT  vulnerabilities  in  the  federal  government 

to  protect  against  cyber  attacks  and  possible  cyber  terror.  The  National 
Cyber  Security  Leadership  Act  of  2003,  if  passed,  will  require  the  Chief 
Information  Officer  of  each  Federal  agency  to  report  annually  to  the 
Director  of  0MB  to;  (1)  identify  the  significant  vulnerabilities  of  the 
information  technology  of  such  agency;  (2)  establish  performance  goals  for 
eliminating  such  vulnerabilities;  (3)  procure  or  develop  tools  to  identify  and 
eliminate  those  vulnerabilities  in  order  to  achieve  such  performance  goals; 
(4)  train  personnel  in  the  utilization  of  those  tools;  (5)  test  the  agency’s  IT 
to  determine  the  extent  of  its  compliance  with  the  performance  goals;  and 
(6)  develop  and  implement  apian  to  eliminate  significant  vulnerabilities  in 
order  to  achieve  compliance.  The  bill  was  referred  to  the  Committee  on 
Government  Affairs  on  January  16,  2003. 
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Appendix  A  -  Planning  a  Computer  Attack 

There  are  five  basic  steps  traditionally  used  by  computer  hackers  to  gain 
unauthorized  access,  and  subsequently  take  over  computer  systems.  These  five  steps 
may  be  used  to  plan  a  computer  attack  for  purposes  of  cyber  crime  or  cyber  espionage, 
and  may  also  be  employed  for  purposes  of  cyber  terror.  The  steps  are  frequently 
automated  through  use  of  special  hacker  tools  that  are  freely  available  to  anyone  via 
the  Internet.*’  Highly-skilled  hackers  use  automated  tools  that  are  also  highly 
sophisticated,  and  their  effects  are  initially  much  more  difficult  for  computer  security 
st^  and  technology  to  detect.  These  sophisticated  hacker  tools  are  usually  shared 
only  among  an  exclusive  group  of  odier  highly-skilled  hacker  associates.  The  hacker 
tactics  described  in  this  report  are  also  explained  in  detail  in  many  existing  books  that 
list  possible  defenses  against  computer  attack,  including  “Counter  Hack”  by  Ed 
Skoudis,  2002. 

!  Step  1.  Reconnaissance 

Li  this  first  step,  hackers  employ  extensive  pre-operative  surveillance  to  find 
out  detailed  information  about  an  organization  that  will  help  them  later  gain 
unauthorized  access  to  computer  systems.  The  most  common  method  is  social 
engineering,  or  tricking  an  employee  into  revealing  sensitive  information 
(such  as  a  telephone  number  or  apassword).  Other  mefiiods  include  dumpster 
dving,  or  rifling  through  an  organization’ s  trash  to  find  sensitive  information 
(such  as  floppy  disks  or  important  documents  that  have  not  been  shredded). 
This  step  can  be  automated  if  the  attacker  installs  on  an  office  computer  a 
virus,  worm,  or  “Sp5ware”  program  that  performs  surveillance  and  then 
transmits  useful  information,  such  as  passwords,  back  to  the  attacker. 
“Spyware”  is  a  form  of  malicious  code  that  is  quietly  installed  on  a  computer 
without  user  knowledge  wfren  a  user  visits  a  malicious  web  site.  It  may 
remain  undetected  by  firewalls  or  current  anti-virus  security  products*^  while 
monitoring  keystrokes  to  record  web  activity  or  collect  snapshots  of  screen 
displays  and  oAer  restricted  information  for  transmission  back  to  an  unknown 
third  party. 

!  Step  2.  Scanning 

Once  in  possession  of  special  restricted  information,  or  a  few  critical  phone 
numbers,  an  attacker  performs  additional  surveillance  by  scanning  an 
organization’s  computer  software  and  network  configuration  to  find  possible 
entry  points.  This  process  goes  slovdy,  sometimes  lasting  months,  as  the 
attacker  looks  for  several  vulnerable  openings  into  a  system.** 


Using  these  five  basic  steps,  often  supplemented  ivith  automated  intrusion  tools,  attackers 
have  successfully  taken  over  computer  systems  and  remained  undetected  for  long  periods 
of  time.  Ed  Skoudis,  Counter  Hack,  Prentice  Hall,  New  Jersey,  2002. 

^  For  more  about  Spyware,  see  Spywareinfo  at  [http;//www.spywareinfo.com/]. 

**  An  attacker  m^  use  an  automatic  “War  Dialing”  tool  that  dials  thousands  of  telephone 
numbers,  looking  for  modems  connected  to  a  computer.  If  a  computer  modem  answers 
when  the  War  Dialer  calls,  the  attacker  m^  have  located  a  way  to  enter  an  organization’s 

(continued...) 
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!  Step  3. Gaining  Access 

Once  the  attacker  has  developed  an  inventory  of  software  and  configuration 
vulnerabilities  on  a  target  network,  he  or  she  may  quietly  take  over  a  system 
and  network  by  using  a  stolen  password  to  create  a  phony  account,  or  by 
exploiting  a  vulnerability  that  allows  them  to  install  a  malicious  Troj  an  Horse, 
or  automatic  “bof  ’  that  will  await  further  commands  sent  through  the  Internet. 

!  Step  4;  Maintaining  access 

Once  an  attacker  has  gained  unauthorized  access,  he  or  she  may  secretly 
install  extra  malicious  programs  that  allow  them  to  return  as  often  as  they 
wish.  These  programs,  known  as  “Root  Kits”  or  “Back  Doors”,  run  unnoticed 
and  can  allow  an  attacker  to  secretly  access  a  network  at  will.  If  the  attacker 
can  gain  all  the  special  privileges  of  a  system  administrator,  then  the  computer 
or  network  has  been  completely  taken  over,  and  is  “owned”  by  the  attacker. 
Sometimes  the  attacker  will  reconfigure  a  computer  system,  or  install 
software  patches  to  close  the  previous  security  vulnerabilities  just  to  keep 
other  hackers  out. 

!  Step  5:  Covering  Tracks 

Sophisticated  attackers  desire  quiet,  unimpeded  access  to  the  computer 
systems  and  data  they  take  over.  They  must  stay  hidden  to  maintain  control 
and  gather  more  intelligence,  or  to  refine  preparations  to  maximize  damage. 
The  “Root  Kit”  or  “Trojan  Horse”  programs  often  allow  the  attacker  to 
modify  the  log  files  of  the  computer  system,  or  to  create  hidden  files  to  help 
avoid  detection  by  the  legitimate  system  administrator.  Security  systems  may 
not  detect  the  unauthorized  activities  of  a  careful  intruder  for  a  long  period  of 
time.“ 


(...continued) 

network  and  bypass  firewall  security.  A  newer  way  of  scanning  for  vulnerabilities  is  called 
“War  Driving”,  where  hackers  drive  randomly  through  a  neighborhood  trying  to  detect 
signals  from  business  or  home  wireless  networks.  Once  a  networic  is  detected,  the  hacker 
may  park  nearby  and  attempt  to  log  on  to  gain  free,  unauthorized  access.  Kevin  Poulsen, 
April  12  2001,  War  Driving  by  the  Bay,  Securityfocus.com, 

|http://www.securityfocus.com/news/192]. 

New  “antiforensics  tools”  are  now  available  on  the  Internet  that  allow  hackers  to  more 
effectively  hide  their  actions,  and  thus  defeat  more  investigators  who  search  for  technical 
evidence  of  computer  intrasions.  Anne  Saita,  yizsy  2(i02>,  Antiforensics:  The  Looming  Arms 
Race,  Information  Security,  Vol.  6,  No.  5,  p.l3. 
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Appendix  B  -  Technology  of  Malicious  Code 

Technology  constantly  evolves,  and  new  security  vulnerabilities  are  discovered 
regularly  by  software  vendors,  by  security  organizations,  by  individual  researchers, 
and  often  by  computer  hacker  groups.®^  Security  organizations,  such  as  the  Computer 
'  Emergency  Response  Team  (CERT/CC)  located  at  Carnegie  Mellon,  publish  security 
advisories,  including  information  about  new  software  patches,  usually  before 
computer  hacker  groups  can  take  advantage  of  nev\4y  discovered  computer  security 
vulnerabilities  for  purposes  of  cyber  crime  or  cyber  espionage.  However,  despite 
numerous  alerts,  the  number  of  reported  unauthorized  computer  intrusions  has 
increased  every  year,  with  a  56  percent  increase  reported  between  2001  and  2002.®® 

Currently,  attacks  are  enabled  by  “infecting”  a  computer  with  a  malicious  payload 
program  that  comqjts  data,  performs  surveillance,  or  that  receives  commands  through 
die  Internet  to  paralyze  or  deny  service  to  a  targeted  computer.  A  computer  may 
become  “infected”  if  a  computer  user  mistakenly  downloads  and  installs  a  malicious 
program,  or  mistakenly  opens  an  infected  email  attachment.  Other  malicious 
programs,  known  as  “worms”,  may  actively  and  r^idly  seek  out  other  computers  on 
the  Internet  having  a  specific  non-patched  vulnerability,  and  automatically  install 
themselves  without  any  action  required  on  the  part  of  the  victim.®’ 

A  virus  is  one  form  of  malicious  program  that  often  immediately  corrupts  data 
or  causes  a  malfunction.  A  Trojan  Horse  is  another  form  of  malicious  program  that 


In  September  2003,  DHS  warned  U.S.  industry  and  the  federal  government  to  expect 
potentially  significant  attacks  to  emerge  against  Internet  operations,  similar  to  the  recent 
Blaster  worm  exploit,  because  of  newly  discovered  critical  flaws  in  Windows  software  that 
were  announcedby  Microsoft  Corporation.  JaikmnarVijayan,  September  15,  lQQii,Attacks 
on  New  Windows  Flaws  Expected  Soon,  Computerworld,  Vol.  37,  No.  37,  p.  1 . 

®®  A  single  reported  computer  security  incident  may  involve  one  site  or  hundreds  (or  even 
thousands)  of  sites.  Also,  some  incidents  m^  involve  ongoing  activity  for  long  periods  of 
time.  CERT  estimates  that  as  much  as  80  percent  of  actual  security  incidents  goes 
unreported,  in  most  cases  because  (1)  the  organization  was  unable  to  recognize  that  its 
systems  had  been  penetrated,  or  there  were  no  indications  of  penetration  or  attack,  or  (2)  the 
organization  was  reluctant  to  publicly  admit  to  being  a  victim  of  a  computer  security  breach. 
CERT, 2003,  CERT/CC  Statistics  1988-2002,  2003,  April  15, 

[http://www.cert.Org/stats/cert_stats.html#incidents.]  CERT,  2003,  CERT/CC  Statistics, 
2003,  [http://www.cert.oig/stats/cert_stats.html.] 

MARC  Commuter  and  CSX  freight  rail  service  experienced  cancellations  and  delays  on 
August  21, 2003,  because  of  a  virus  that  disabled  the  computer  systems  at  the  CSX  railway 
Jacksonville,  Florida  headquarters.  The  recent  “Blaster”  worm  attacked  more  than  5 00,000 
computers  worldwide  within  one  week.  The  “Blaster^’  attack  was  quickly  followed  the  next 
week  by  another  worm  that  spread  worldwide,  called  “Welchia”,  which  installed  itself  on 
computers  by  taking  advantage  of  the  same  vulnerability  used  by  Blaster.  Brian  Krebs, 
August  18  2003,  ‘Good’  Worm  Eixes  Infected  Computers,  Washingtonpost.com.  The 
“Welchia”  worm  also  disrupted  the  highly  secure  Navy  Marine  Corps  Intranet  (NMCI) 
during  the  week  of  August  1 1,  by  flooding  it  with  imwanted  trafiic.  This  was  the  first  time 
in  the  history  of  the  highly  secure  network  that  it  was  disrupted  by  an  outside  cyber  attack. 
Diane  Frank,  August  25  2003,  Attack  of  the  Worms:  Feds  Get  Wake-Up  Call,  Federal 
Computer  Week,  Vol  17,  No.  29,  p.8. 
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quietly  and  secretly  displaces  the  functions  of  an  existing  trusted  program  on  the 
computer.  An  attack  program,  once  installed,  may  quietly  “listen”  for  a  special 
command  sent  tiirough  the  Internet  from  a  remote  source,  instructing  it  to  begin 
activation  of  malicious  program  instructions.  Anotiier  type  of  malicious  program, 
known  as  “spyware”,  has  a  surveillance  or  espionage  capability  that  enables  it  to 
secretly  record  and  automati  cally  transmit  keystrokes  and  oft  er  information  (including 
passwords)  back  to  a  remote  attacker.**  Other  types  of  malicious  code  may  combine 
some  or  all  of  the  characteristics  of  viruses,  worms,  Trojan  Horses,  or  spyware  along 
with  the  ability  to  randomly  change  the  electronic  appearance  (polymorphism)  of  the 
resulting  attack  code.  This  ability  to  change  makes  many  of  the  newer  viruses,  worms, 
and  Trojan  Horses  very  difficult  for  most  anti-virus  security  products  to  detect.*® 

Malicious  programs  attack  by  disrupting  normal  computer  functions,  or  by 
opening  a  back  door  for  a  remote  attacker  to  take  control  of  the  computer.  Sometimes 
an  attacker  can  quietly  take  full  control  of  a  computer  with  the  owner  remaining 
unaware  that  his  or  her  machine  is  compromised.  An  attack  can  either  immediately 
disable  a  computer,  or  incorporate  a  time  delay,  after  which  a  remote  command  will 
direct  the  infected  computer  to  transmit  harmful  signals  that  disrupt  other  computers. 
An  attack  can  trigger  the  automatic  transmission  of  huge  volumes  of  harmful  signals 
that  can  very  rapidly  disrupt  or  paralyze  many  thousands  of  other  computers 
throughout  fte  Internet,  or  severely  clog  transmission  lines  with  an  abundance  of 
bogus  messages,  causing  portions  of  fte  Internet  to  become  slow  and  unresponsive. 

Preparation  for  a  cyber  crime  or  cyber  espionage  computer  attack  by  a  hacker  may 
sometimes  proceed  slowly,  or  in  several  phases,  before  a  final  attack  is  initiated  that 
will  cause  maximum  damage.  Some  compromised  computers  can  become  part  of  an 
automatic  “bof’  network,  quietly  performing  espionage  by  transmitting  data  or 


**  The  FBI  is  investigating  what  private  security  experts  believe  to  be  the  first  Internet 
attack  aimed  primarily  at  a  single  economic  sector.  The  malicious  code,  discovered  in  June 
2003,  contains  a  list  of  roughly  1,200  Web  addresses  for  many  of  the  world’s  largest 
financial  institutions,  including  J.P.  Morgan  Chase  &  Co.,  American  Express  Co.,  Wachovia 
Corp.,  Bank  of  America  Corp.  and  Citibank  N.A.  “Bugbear”  is  a  polymorphic  worm/virus 
that  has  keystroke-logging  and  mass-mailing  capabilities,  and  attempts  to  terminate  various 
antivirus  and  firewall  programs.  Though  most  major  banks  do  not  put  sensitive  information 
on  the  Internet,  the  worm  will  attempt  to  use  information  captured  from  a  desktop  PC  to 
break  into  restricted  computers  that  do  contain  financial  data.  For  example,  experts  found 
that  the  Bugbear  software  is  programmed  to  determine  whether  a  victim  used  an  e-mail 
address  that  belonged  to  any  of  the  1,300  financial  institutions  listed  in  its  blueprints.  If  a 
match  is  made,  it  tries  to  steal  passwords  and  other  information  that  would  make  it  easier 
for  hackers  to  break  into  a  bank’s  networks.  The  software  then  transmits  stolen  passwords 
to  10  e-mail  addresses,  which  also  are  included  in  the  blueprints.  But  experts  said  that  on 
the  Internet  anyone  can  easily  open  a  free  e-mail  accoimt  using  a  false  name,  and  so 
knowing  those  addresses  might  not  lead  detectives  to  the  culprit.  A.P.,  June  10, 2003,  Feds 
Warn  Banks  About  Internet  Attack,  CNN. Com, 

[http://www.cnn.eom/2003/TECH/mtemet/06/10/virus.banks.ap/index.html]. 

*’  The  Naval  Postgraduate  School  is  developing  a  new  network  security  tool  called 
“Therminator”,  that  is  designed  to  detect  possible  computer  attacks  by  carefully  monitoring 
network  traffic.  Jason  Ma,  October  6, 2003, NFS  Touts  Therminator  As  Early-Warning  Tool 
for  Computer  Attacks,  Inside  the  Navy,  Navy- 16-40-1 2. 
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intermediate  preparatory  instructions  back  and  forth  between  compromised  computers, 
v^ile  awaiting  a  special  final  activation  signal  originating  from  the  attacker.  The  final 
activation  phase  may  direct  all  compromised  computers  to  inundate  a  targeted 
computer  with  bogus  messages,  or  insert  phony  data  into  critical  computer  systems, 
causing  them  to  malfunction  at  a  crucial  point,  or  affect  odier  computers  downstream. 
Some  recent  computer  attacks  have  focused  on  only  a  single  new  computer 
vulnerability,  and  have  been  seen  to  spread  worldwide  through  the  Internet  with 
astonishing  speed.®® 


The  “Slammer”  worm  attacked  Microsoft’s  database  software  and  spread  through  the 
Internet  over  one  weekend  in  January  2003.  According  to  a  preliminary  study  coordinated 
by  the  Cooperative  Association  for  Internet  Data  Analysis  (CAIDA),  on  January  25, 2003, 
the  SQL  Slammer  worm  (also  known  as  “Sapphire”)  infected  more  than  90  percent  of 
vulnerable  computers  worldwide  within  10  minutes  of  its  release  on  the  Internet,  making  it 
the  fastest  computer  worm  in  history.  As  the  study  reports,  exploiting  a  known  vulnerability 
for  which  a  patch  has  been  available  since  July  2002,  Slammer  doubled  in  size  every  8.5 
seconds  and  achieved  its  full  scarming  rate  (55  million  scans  per  second)  after  about  3 
minutes.  It  caused  considerable  harm  through  network  outages  and  such  unforeseen 
consequences  as  canceled  airline  flights  and  automated  teller  machine  (ATM)  failures. 
Further,  the  study  emphasizes  that  the  effects  would  likely  have  been  more  severe  had 
Slammer  carried  a  malicious  payload,  attacked  a  more  widespread  vulnerability,  or  targeted 
a  more  popular  service.  The  malicious  code  disrupted  more  than  13,000  Bank  of  America 
automated  teller  machines,  causing  some  machines  to  stop  issuing  money,  and  took  most  of 
South  Korea  Internet  users  offline.  As  many  as  five  of  the  13  Internet  root  name  servers 
were  also  slowed  or  disabled,  according  to  Anti-virus  firm  F-Secxme.  Robert  F.  Dacey, 
2003,  INFORMATION  SECURITY:  Progress  Made,  But  Challenges  Remain  to  Protect 
Federal  Systems  and  the  Nation ’s  Critical  Infrastructures,  Matt  Loney,  2003,  Computer 
worm  slows  global  Net  traffic,  [http://news.com.eom/2102-1001-982131.html,]  Robert 
Lemos,2003,  Worm  exposes  apathy,  Microsoft  flaws, 

[http  ://news.com.com/2 1 02-100 1-982135  .html] . 
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Appendix  C  -  Comparison  of  Computer  Attacks  and 

Terrorist  Tactics 

Similarities  may  exist  in  characteristics  of  some  tactics  used  to  prepare  for  and 
execute  a  cyber  crime  or  cyber  espionage  computer  attack,  and  tactics  used  to  prepare 
for  and  execute  some  recent  physical  terrorist  operations.  For  example,  (1)  network 
meetings  in  cyberspace,  (2)  extensive  pre-operative  surveillance,  (3)  exploits  of  soft 
and  vulnerable  targets,  and  (4)  swarming  methods  may  all  be  characteristics  of  tactics 
used  by  some  terrorist  groups  as  well  as  by  computer  hackers.  Knowing  these 
similarities  may  be  helpful  to  investigators  as  they  explore  different  methods  to  detect 
planning,  and  help  prevent  a  possible  cyber  attack  by  terrorist  groups. 

The  organizational  structures  of  many  terrorist  groups  are  not  well  understood 
and  are  usually  intended  to  conceal  the  interconnections  and  relationships.®'  A 
network  organization  structure  (as  opposed  to  a  hierarchical  structure)  favors  smaller 
units,  giving  the  group  the  ability  to  attack  and  quickly  overwhelm  defenders,  and  then 
just  as  quickly  disperse  or  disappear.  Terrorist  groups  using  a  network  structure  to 
plan  and  execute  an  attack  can  place  government  hierarchies  at  a  disadvantage  because 
a  terrorist  attack  often  blurs  the  traditional  lines  of  authority  between  agencies  such 
as  police,  the  military,  and  other  responders. 

Similarly,  computer  hackers  are  often  composed  of  small  groups  or  individuals 
vdio  meet  anonymously  in  network  chat  rooms  to  exchange  information  about 
computer  vulnerabilities,  and  plan  ways  to  exploit  them  for  cyber  crime  or  cyber 
espionage.  By  meeting  only  in  cyberspace,  hackers  can  quickly  disappear  vriienever 
government  authorities  try  to  locate  them.  Hackers  have  also  designed  recent 
computer  exploits  that  launch  anonymously  from  thousands  of  infected  computers  to 
produce  waves  of  disruption  that  quickly  overwhelm  a  single  targeted  organization, 
or  multiple  organizations  such  as  a  list  of  banking  institutions. 

In  a  similar  manner,  terrorist  groups  may  also  strike  in  waves  from  multiple 
dispersed  directions  against  multiple  targets,  in  swarming  campaigns.  A  non¬ 
computer  example  of  swarming  may  be  the  May  11,  2003  attack  in  Riyadh,  where 
terrorists  (possibly  A1  Qaeda),  staged  simultaneous  assaults  at  diree  compounds  in 
different  locations,  with  each  assault  involving  a  rapid  strike  with  multiple  vehicles, 
some  carrying  explosives  and  others  carrying  gunmen. 

Terrorist  groups  are  described  by  DHS  as  opportunistic,  choosing  to  exploit  soft 
vulnerabilities  that  are  left  exposed.  Similarly,  an  increasingly  popular  trend  for 
computer  hackers  engaged  in  computer  crime  or  computer  espionage  is  to  use  a 
malicious  program  called  a  worm,  that  pro-actively  spreads  copies  of  itself  through 
the  Internet,  rapidly  finding  as  many  computers  as  possible  with  the  same  non-patched 
vulnerability,  and  then  automatically  installing  itself  to  quietly  await  further 
instructions  from  the  attacker. 
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At  an  appropriate  time,  the  attacker  may  choose  to  send  a  command  through  the 
Internet  to  activate  these  thousands  of  infected  computers,  instructing  them  to  either 
stop  working  properly,  or  reveal  unauthorized  information  (such  as  passwords  or 
credit  card  numbers),  or  attack  and  overvdielm  a  targeted  organization  and  block 
access  to  many  services  on  the  Internet.  A  worm  can  quietly  corrupt  data  on  infected 
computers,  transmit  that  corrupted  data  to  other  downstream  computers,  and  even 
interfere  with  network  response  for  computers  that  have  installed  the  right  security  to 
protect  against  infection. 


